[wp-trac] [WordPress Trac] #37000: Support for the SameSite cookie attribute
WordPress Trac
noreply at wordpress.org
Thu Jan 14 10:27:40 UTC 2021
#37000: Support for the SameSite cookie attribute
-------------------------------------------------+-------------------------
Reporter: johnbillion | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch dev-feedback needs-dev- | Focuses:
note has-unit-tests | administration
-------------------------------------------------+-------------------------
Comment (by r0wan):
Replying to [comment:37 jmichaelward]:
> In Gravity Forms, users who attempt to authenticate their sites with
external services using OAuth usually get redirected back to the settings
page in the admin. However, we've found that this fails in Chrome if the
admin has been logged into the site for more than 2 minutes. In those
situations, when the external service redirects back to WordPress, the
users are returned to the login screen.
This sounds like you may be hitting the Lax + POST mitigation which was
allowing cookies created within a two minute window to be sent on cross-
site POST requests. This was initially intended to provide some breathing
room for SSO clients that were setting a nonce or similar security token
in a cookie which would be validated on the callback POST from the the
sign-in service. https://www.chromium.org/updates/same-site/faq#sites-
canvas-main-content:~:text=Lax%20%2B%20POST%20mitigation
It also sounds similar to the issue some sites were hitting with 3-D
Secure verification on payments, where the returning call was a cross-site
POST request that was resulting in the site's session cookies not being
included on that request. I've got a little write up of that behaviour and
potential solutions here: https://goo.gle/samesite-3d-secure
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37000#comment:40>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list