[wp-trac] [WordPress Trac] #37000: Support for the SameSite cookie attribute
WordPress Trac
noreply at wordpress.org
Wed Apr 25 17:33:07 UTC 2018
#37000: Support for the SameSite cookie attribute
--------------------------------------+------------------------------
Reporter: johnbillion | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: dev-feedback needs-patch | Focuses: administration
--------------------------------------+------------------------------
Comment (by tomdxw):
I’ve written a proof of concept plugin which adds SameSite=Lax for all
auth cookies:
https://gist.github.com/tomdxw/9d7eced5f951680d6eeb52fe6a7a48dc
I tested with a vulnerable plugin, and it works to prevent the CSRF.
The change is tiny - when being merged into core it would require adding
one function and modifying 4 lines (the 4 setcookie() lines in
wp_set_auth_cookie).
In the very rare situations where a site needs to receive authenticated
POST requests, the SameSite cookie can be disabled via filter.
I agree with @mwaclawek. As it’s already been implemented by three of the
major browsers (shipped in Chrome, coming to Firefox in May, implemented
in WebKit but not released in Safari yet), there’s little chance of
substantial change. But it will do a great deal of good by fixing the
majority of CSRF vulnerabilities in WordPress plugins (of which there are
a lot: https://wpvulndb.com/search?utf8=%E2%9C%93&text=csrf ).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37000#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list