Make Gitpod cookie "stricter" #16406
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
started the job as gitpod-build-at-test-strict.1 because the annotations in the pull request description changed |
roboquat
added
release-note-none
and removed
do-not-merge/release-note-label-needed
labels
|
@geropl, please have a look. |
AlexTugarev
commented
Feb 15, 2023
|
Ah, nice idea! 💡 ✨ I wonder if it's worth the effort. But will definitely have a closer look after lunch. 🙏 |
AlexTugarev
commented
Feb 15, 2023
geropl
reviewed
Feb 15, 2023
AlexTugarev
commented
Feb 15, 2023
AlexTugarev
force-pushed
the
at/test-strict
branch
from
5f89bf6 to
7260cd5
Compare
|
/hold I didn't test (re-)starting workspaces, thus it's not verified if that works with IDE at all. |
|
/hold cancel Starting workspaces ✔️ |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
13 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR changes the way we're managing sameSite setting of the Gitpod cookie (aka session cookie).
We know, having them on
laxmode in general comes with a reduction of browser based security mechanism. OTOH the current OAuth2 implementation relies on the session cookie being present on redirects. Also, during the OAuth2 flow, the mentioned browser security model might be neglected, at least there would be other measures possible to harden that process not relying on the browser agent. Given that, we can improve the security posture, by switching tolaxmode for OAuth2 processes and back tostrictmode when the process is done.Related Issue(s)
Fixes #
How to test
Release Notes
Documentation
Build Options:
Experimental feature to run the build with GitHub Actions (and not in Werft).
leeway-target=components:all
Run Leeway with
--dont-testPublish Options
Installer Options
Add desired feature flags to the end of the line above, space separated
Preview Environment Options:
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh