Why must SameSite=none? #587
Comments
|
That's a big pain point for me as well and I would actually never deploy something to prod with this setting. I think the browser should just sent even host only cookies to the IdP in that case and since it's behind the scenes anyway, I don't see an issue with doing that. The other way around, setting |
|
@samuelgoto any additional info on this? |
We are working with our privacy and security reviewers to figure out what we can do about this. Will report back. |
@johannhof I hear that this is working as intended. Can you help us understand why |
|
I think I understand your concern and that you consider requests initiated by FedCM to meet a higher bar than "regular" cross-site fetch requests, however, let's look at the available options and their current definitions:
Of course, we can revisit and change things if they don't make sense. This was discussed in #248 and the suggestion back then was to add a We could consider broadening the definition of cc @arturjanc for thoughts |
|
@DCtheTall FYI ^ |
|
Thanks @johannhof. I think the problem is that FedCM requests feel like a new thing. Is there any precedent for requests that are sent by the browser but which the origin has no direct control over the method, content, or response (only the URI can be controlled by the RP)? I can see why you technically consider them to be cross-site requests since they wouldn't be fired without visiting an RP, but do they really fit the description of what we've always considered cross-site on the web up to this point? The term is generally used in conversations involving CSRF security concerns and privacy, and I haven't been able to come up with any scenarios where FedCM requests would introduce a security vulnerability (caveat: I am not a security expert). The endpoints are highly prescribed and the results aren't directly accessible to the RP. On the flip side, forcing all cookies to be SameSite=none for FedCM introduces real, tangible security issues. |
|
Yeah, I understand the negative security implications this would cause for IdPs in the mid term (that is, until 3rd party cookies are blocked by default without workarounds in all browsers) and I agree it's not a great outcome. I'm honestly torn on this issue. I'd love to hear from some of the tagged folks (@arturjanc @annevk @bvandersloot-mozilla) regarding their thoughts on a possible inclusion of FedCM requests in |
|
I think it would make a lot of sense to even be able to set host only cookies, even with On the other hand, if we would set host only or samesite cookies, they are restricted to the IdPs domain / host and would not leak anywhere else, even when the FedCM is not used. |
|
Chatted with @arturjanc about this offline, and the fact that all these endpoints have to be pre-registered by the IdP in a config file makes us think that carving this out as a new instance where @sebadob relaxing cross-origin restrictions feels like a fundamentally different suggestion and much less likely to happen, as that is a concern of not leaking additional data to the IdP endpoint (which could also be a risk to that endpoint itself, if there are ways for subdomains to set the cookies it is looking for). This is all very hard to reason about and it's important that we don't pull the rug on security concepts people are relying on. |
|
@johannhof don't get me wrong, I would never want this to be a global change, only for these specific endpoints where we actually need the cookies during the FedCM flow. Basically like you suggested. The |
|
I don't understand the discussion about Creating a new avenue for (Also, you never get protection from CORS. The protection is from the same-origin policy. CORS pokes holes in that.) |
Sorry the Edit: The main question was actually only, why the FedCM wants |
|
I appreciate the time being taken to seriously consider this concern. Honestly the situation makes me a bit uneasy. Just because it seems safer to relax SameSite=lax than to require SameSite=none doesn't necessarily mean that's the case. My instincts tell me this should be treated as a new thing. The SameSite=federated suggestion should work. But if people who know more about security than me (not a high bar) sign off on SameSite=lax being relaxed, I won't complain. |
|
I tend to agree that a My intuition is that the FedCM requests are something fundamentally different and it'd be appropriate/okay/safe to send I'd note that the document to which @johannhof previously referred is is currently in Working Group Last Call in the IETF's HTTP WG. Would it be worthwhile to provide feedback about this here issue and try and get a carve-out or allowance of some sort for these unique kinds of requests? Is anyone aware of similar platform originating requests and if or how they are handling similar considerations? |
|
Implementation-wise, Chrome used to send SameSite=Strict cookies as well, however there was strong opposition to that so we ended up with what we do now (SameSite=None only). |
@cbiesinger would it be equally trivial / easy for Chrome to send |
I am currently inquiring about that |
|
Even if we would set these cookies to Because there is no additional token or verification. You receive a cross-origin request, which has not been accepted or whitelisted before (because that would destroy the "sign in without upfront registration"). Then you can only validate the users login / session based on a single cookie, which can be sent from anyone and anywhere because it is not set to I mean, if I am missing something here, please correct me, but I don't see how this should work in a secure manner with having either a Edit:
|
The FedCM endpoints in particular, which I think you are talking about (?), can/should verify that the |
|
@cbiesinger mentioned this over in #212 but I think it is more relevant to this issue and bears repeating here - the last paragraph in https://fedidcg.github.io/FedCM/#browser-api (copied below because content at github.io isn't necessarily stable) actually contradicts the behavior to only send SameSite=None designated cookies.
|
Does that imply that the google account cookies are |
Ah yes, of course, totally forgot that you can't modify the |
If we agree on the Note that browsers can make this change without requiring standardization, the standard usually follows implementation. |
|
Before we can reach agreement I think someone has do the work on explaining the limited protections that exist around SameSite=Lax today and how this feature doesn't make the situation worse for existing SameSite=Lax cookies. Also, standardization as a concept very much is inclusive of discussions such as this one so I can't really agree with your statement there. |
I was more suggesting (or asking about) making a suggestion to the IETF's HTTP WG for 6265bis to make some acknowledgement that other kinds of requests might exist that fall outside the SameSite enforcement requirements stated therein. Such an acknowledgement or allowance would maybe preempt citing the soonish-to-be RFC as reasoning that FedCM requests (or similar) can only attach
AFAICT, it is specified in FedCM #587 (comment) and the behavior in chrome is divergent from that (thanks BTW @aaronpk for the pointer/note in FedCM for IndieAuth).
I am well aware that browsers can do whatever they want. However, I might humbly suggest that the interplay between standards and implementation is much more nuanced than that. Or should be anyway. |
As best I understand and can summarize things here, this would mean attaching SameSite=Lax cookies only to requests initiated via this new browser API to a few new endpoints that are required to enforce the presence of a
Yeah, standardization needs to be inclusive and more than just documenting implementation. |
See discussion in w3c-fedid/FedCM#587 This is behind the FedCmSameSiteLax flag for now. Bug: 350944661 Change-Id: I3e5fe99b98560f680217cd3326ff66d290a5290f
See discussion in w3c-fedid/FedCM#587 This is behind the FedCmSameSiteLax flag for now. Bug: 350944661 Change-Id: I3e5fe99b98560f680217cd3326ff66d290a5290f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5675433 Reviewed-by: Yi Gu <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Charlie Reis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1325570}
See discussion in w3c-fedid/FedCM#587 This is behind the FedCmSameSiteLax flag for now. Bug: 350944661 Change-Id: I3e5fe99b98560f680217cd3326ff66d290a5290f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5675433 Reviewed-by: Yi Gu <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Charlie Reis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1325570}
See discussion in w3c-fedid/FedCM#587 This is behind the FedCmSameSiteLax flag for now. Bug: 350944661 Change-Id: I3e5fe99b98560f680217cd3326ff66d290a5290f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5675433 Reviewed-by: Yi Gu <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Charlie Reis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1325570}
|
Chrome Canary now (starting in 128.0.6589.0) supports sending SameSite=Lax cookies for credentialed FedCM requests behind a flag, @bvandersloot-mozilla let me attempt to summarize my understanding here: But if FedCM requires None, that means you have to allow your cookies to be sent in a lot more cases, which is undesirable. Can someone confirm whether I summarized the issue correctly? |
Not quite, Lax cookies are more strict than that. They are only sent on top-level navigations, using safe methods. There are additional relaxations in place for cookies that are Lax because they have no attribute set, but those are sort-of-bad to rely upon and are an artifact of failing to migrate the default SameSite attribute fully.
Agreed that this is probably the case, but if that is because the previous behavior was using the SameSite-Lax-by-default exceptions we should find a better answer for them. |
…dition to None, a=testonly Automatic update from web-platform-tests [FedCM] Send SameSite=Lax cookies, in addition to None See discussion in w3c-fedid/FedCM#587 This is behind the FedCmSameSiteLax flag for now. Bug: 350944661 Change-Id: I3e5fe99b98560f680217cd3326ff66d290a5290f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5675433 Reviewed-by: Yi Gu <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Charlie Reis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1325570} -- wpt-commits: aa0082aa9066bb6064ff91636dd9d69d22e4bca3 wpt-pr: 47065
…dition to None, a=testonly Automatic update from web-platform-tests [FedCM] Send SameSite=Lax cookies, in addition to None See discussion in w3c-fedid/FedCM#587 This is behind the FedCmSameSiteLax flag for now. Bug: 350944661 Change-Id: I3e5fe99b98560f680217cd3326ff66d290a5290f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5675433 Reviewed-by: Yi Gu <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Charlie Reis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1325570} -- wpt-commits: aa0082aa9066bb6064ff91636dd9d69d22e4bca3 wpt-pr: 47065
…dition to None, a=testonly Automatic update from web-platform-tests [FedCM] Send SameSite=Lax cookies, in addition to None See discussion in w3c-fedid/FedCM#587 This is behind the FedCmSameSiteLax flag for now. Bug: 350944661 Change-Id: I3e5fe99b98560f680217cd3326ff66d290a5290f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5675433 Reviewed-by: Yi Gu <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Charlie Reis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1325570} -- wpt-commits: aa0082aa9066bb6064ff91636dd9d69d22e4bca3 wpt-pr: 47065
See discussion in w3c-fedid/FedCM#587 This is behind the FedCmSameSiteLax flag for now. Bug: 350944661 Change-Id: I3e5fe99b98560f680217cd3326ff66d290a5290f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5675433 Reviewed-by: Yi Gu <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Charlie Reis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1325570}
|
Hi @anderspitman, could you explain how you use SameSite=Lax cookies today, especially with respect to Ben's last comment? Do you only use redirects today? |
|
@cbiesinger sorry for the late response. Yes, I'm only using redirects currently. |
@anderspitman, could you give this a try and see if what @cbiesinger implemented works for you and your deployment? |
|
@samuelgoto didn't realize I might not be blocked on this. I'll give it a shot. |
|
@samuelgoto @cbiesinger unfortunately this doesn't seem to be working. Running on version |
This is currently necessary for FedCM. In order to try and protect against unanticipated security issues from this, I added a new lax cookie that is set on all requests. I then gated all non-FedCM access to the login cookie behind the getLoginCookie function. This function verifies that the lax cookie is present, which indicates the request is not cross-site. We can't use the Origin header for this because FedCM doesn't send it for privacy reasons. Hopefully FedCM eventually changes to allow SameSite=lax so we don't have to worry about this. See w3c-fedid/FedCM#587
|
I've implemented my workaround for prod LastLogin. The way it works is I set a simple lax cookie for all requests, and made my login cookies SameSite=none. I then gated them behind a check to verify the lax cookie is present for all requests except FedCM /accounts and /id-assertion. I would appreciate feedback from those in this thread to make sure I'm not missing any subtle security holes. |
|
I am curious regarding why it did not work for you. Did you enable the feature, restarted Chrome, and tried it out? Did you not get the Lax cookies or what didn't work? |
|
@npm1 with the feature enabled looks like Chrome is sending the cookies for /accounts, but not /id-assertion. Without the flag it doesn't send them for either. |
|
Ok thanks! I pointed this out in https://issues.chromium.org/issues/350944661 although Christian is out till Wednesday |
|
Thanks for passing that on. And no worries, I'm pretty sure my workaround is secure and there's no rush to get this implemented on my end. It definitely would still be very useful in the future for added security and for ease for new implementers. I know @sebadob has stated he wouldn't deploy FedCM for Rauthy unless lax cookies can be used. Not sure if his position has changed. |
Can you expand on what workaround you used? |
|
I mentioned it here: #587 (comment) I can give more details if that's confusing. Basically since we have to use SameSite=None, the browser is always sending the login cookies, even cross-domain. So I added another SameSite=Lax cookie that acts as a "key" that turns on the login cookie. All endpoints require that key to be present except for /fedcm/accounts and /fedcm/id-assertion |
|
So it turns out that making SameSite=Lax is harder than it initially seemed. Since the ID assertion request is a POST request, and POST requests do not receive SameSite=Lax cookies, it is not enough to treat these requests as top-level requests. We also can't treat ID assertion requests as same-site requests due to the CORS requirement. So this might require discussions involving the fetch spec and/or cookie layering... It seems @anderspitman has a workaround for now, so am not planning to work on this issue for now. |
I've searched the repo and read through #212 and #248 but I'm still confused about the SameSite=none requirement.
LastLogin currently uses SameSite=lax for all cookies. Changing to none potentially opens up several vulnerabilities that need to be carefully considered. I get some protection from CORS, but there are so many edge cases that things can slip through with "simple requests" etc. I could also add a tiny sentinel cookie set with SameSite=lax and then require both cookies for all endpoints except FedCM, but again that requires me to get it right everywhere, which is dangerous.
Overall, why is this necessary in the first place? It seems like a very intentional decision, but I haven't found a clear explanation yet. As @samuelgoto mentions here it seems to me that FedCM already is secure enough to be trusted sending lax cookies.
The text was updated successfully, but these errors were encountered: