[wp-trac] [WordPress Trac] #37000: Support for the SameSite cookie attribute
WordPress Trac
noreply at wordpress.org
Thu Jun 2 13:31:15 UTC 2016
#37000: Support for the SameSite cookie attribute
----------------------------+--------------------------------------
Reporter: johnbillion | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords: dev-feedback needs-patch
Focuses: administration |
----------------------------+--------------------------------------
IETF's [https://tools.ietf.org/html/draft-west-first-party-cookies Same-
site Cookies draft] was
[https://www.chromestatus.com/feature/4672634709082112 shipped in Chrome
51 and Opera 39].
The SameSite cookie attribute instructs a browser not to send that cookie
with cross-origin third-party requests (such as iframes, embedded images,
and Ajax requests). This effectively mitigates CSRF attacks as, for
example, the user will not be authenticated for a given third party URL
that's being used in a CSRF attack.
More information on the SameSite attribute can be found here:
http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-
cookie-attribute/
We should investigate whether setting the `SameSite=lax` attribute is of
benefit to the `auth` and/or `logged_in` cookies in WordPress, and if so
consider implementing it once the draft becomes an RFC.
PHP uses the `setcookie()` wrapper for setting cookies, which means that
setting the SameSite attribute is not possible using that function, until
such point that support for the attribute gets added. If WordPress were to
implement the SameSite attribute, we'd need our own cookie handling
function which constructs and sets the `Set-Cookie` header itself, and use
it in place of `setcookie()` (side note: this may also be beneficial to
unit testing).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37000>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list