Actions
Bug #21445
closed
JSESSIONID cookie should have a SameSite policy
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
Description
https://caniuse.com/mdn-http_headers_set-cookie_samesite_lax_default
Only some modern browsers have a default lax policy, we should provide one to prevent trivial CSRF against the internal API.
Updated by Alexis Mousset over 2 years ago
- Subject changed from JSESSIONID cookie should have a sameiste policy to JSESSIONID cookie should have a SameSite policy
Updated by Alexis Mousset over 2 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset over 2 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/4380
Updated by Alexis Mousset over 2 years ago
- Target version changed from 7.1.4 to 6.2.16
Updated by Alexis Mousset over 2 years ago
- Status changed from Pending technical review to In progress
- Assignee changed from François ARMAND to Alexis Mousset
Updated by Alexis Mousset over 2 years ago
- Status changed from In progress to Pending release
Applied in changeset rudder|4f1f9effdb2c54dc3a9ca809e264ff6ecd4fa7b6.
Updated by Alexis Mousset over 2 years ago
- Fix check changed from To do to Checked
Updated by Alexis Mousset over 2 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.2.16, 7.0.5 and 7.1.3 which were released today.
Actions