Skip to content

Set SameSiteMode for cookies in authentication tests #25281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 26, 2020
Merged

Set SameSiteMode for cookies in authentication tests #25281

merged 1 commit into from
Aug 26, 2020

Conversation

captainsafia
Copy link
Member

@captainsafia captainsafia commented Aug 26, 2020
edited
Loading

Chrome (as of v80) enforces a strict check on cookie settings. Cookies set with SameSiteMode=None must be marked as secure.

The Identity.Server sets the SameSiteMode to None by default. This PR sets the SameSiteMode to Lax by default since the WASM auth tests do not run on an HTTPS server.

I verified this by confirming that a Register -> Log in -> visit preferences flow works on the Authentication app.

@captainsafia captainsafia requested review from SteveSandersonMS and a team as code owners August 26, 2020 19:09
@ghost ghost added the area-blazor Includes: Blazor, Razor Components label Aug 26, 2020
@pranavkm
Copy link
Contributor

FYI @BrennanConroy

javiercn
javiercn approved these changes Aug 26, 2020
View reviewed changes
Copy link
Member

@javiercn javiercn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there somethingwe need product wise here?

@mkArtakMSFT
Copy link
Contributor

mkArtakMSFT commented Aug 26, 2020
edited
Loading

Merging this without waiting for the checks to pass as this is blocking many other PRs.
FYI @Pilchie

@mkArtakMSFT mkArtakMSFT merged commit e2dd296 into release/5.0 Aug 26, 2020
@mkArtakMSFT mkArtakMSFT deleted the safia/wasm-auth-tests branch August 26, 2020 19:22
@BrennanConroy
Copy link
Member

Do the wasm tests not run cross origin?

@wtgodbe
Copy link
Member

wtgodbe commented Aug 26, 2020

There's still the issue with the java tests, right?

@captainsafia
Copy link
Member Author

Is there somethingwe need product wise here?

@javiercn If we have a template for Blazor WASM + Identity server, we might want to consider including the same SameSite guards that we use in our OIDC sample (ref). Alternatively, we can document it and refer users to blog posts like this one.

Do the wasm tests not run cross origin?

Not these particular tests. They run on a hosted Blazor WASM app running on a single port.

captainsafia added a commit that referenced this pull request Aug 27, 2020
@captainsafia
Set SameSiteMode for cookies in authentication tests (#25281)
5246cc8
@captainsafia captainsafia mentioned this pull request Aug 27, 2020
Merged
dougbu pushed a commit that referenced this pull request Aug 30, 2020
@captainsafia @dougbu
Set SameSiteMode for cookies in authentication tests (#25281)
4aa0907
wtgodbe pushed a commit that referenced this pull request Sep 8, 2020
@captainsafia @BrennanConroy @dougbu
Set SameSiteMode for cookies in authentication tests (#25281) (#25324)
bacee80 
* Set SameSiteMode for cookies in authentication tests (#25281)

* Fix SignalR typescript tests with Chrome SameSite reaction (#25283)

* Disable template tests that use Selenium

Co-authored-by: Brennan <[email protected]>
Co-authored-by: Doug Bunting <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pranavkm pranavkm pranavkm approved these changes

@javiercn javiercn javiercn approved these changes

@SteveSandersonMS SteveSandersonMS Awaiting requested review from SteveSandersonMS SteveSandersonMS is a code owner

Assignees
No one assigned
Labels
area-blazor Includes: Blazor, Razor Components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@captainsafia @pranavkm @mkArtakMSFT @BrennanConroy @wtgodbe @javiercn