[wp-trac] [WordPress Trac] #37000: Support for the SameSite cookie attribute

WordPress Trac noreply at wordpress.org
Thu Jan 14 10:27:40 UTC 2021 

#37000: Support for the SameSite cookie attribute
-------------------------------------------------+-------------------------
 Reporter:  johnbillion                          |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch dev-feedback needs-dev-    |     Focuses:
  note has-unit-tests                            |  administration
-------------------------------------------------+-------------------------

Comment (by r0wan):

 Replying to [comment:37 jmichaelward]:
 > In Gravity Forms, users who attempt to authenticate their sites with
 external services using OAuth usually get redirected back to the settings
 page in the admin. However, we've found that this fails in Chrome if the
 admin has been logged into the site for more than 2 minutes. In those
 situations, when the external service redirects back to WordPress, the
 users are returned to the login screen.

 This sounds like you may be hitting the Lax + POST mitigation which was
 allowing cookies created within a two minute window to be sent on cross-
 site POST requests. This was initially intended to provide some breathing
 room for SSO clients that were setting a nonce or similar security token
 in a cookie which would be validated on the callback POST from the the
 sign-in service. https://www.chromium.org/updates/same-site/faq#sites-
 canvas-main-content:~:text=Lax%20%2B%20POST%20mitigation

 It also sounds similar to the issue some sites were hitting with 3-D
 Secure verification on payments, where the returning call was a cross-site
 POST request that was resulting in the site's session cookies not being
 included on that request. I've got a little write up of that behaviour and
 potential solutions here: https://goo.gle/samesite-3d-secure

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/37000#comment:40>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list