Some cookies are misusing the recommended “sameSite“ attribute

Currently we are not setting sameSite cookie attribute and it gets default value sameSite=None.

Firefox (version 86) complains:

Cookie “_csrf_token” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Cookie “session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

We should set one of these:

SameSite=None; Secure
SameSite=Lax

With recent version of flask-seasurf, SameSite=Lax is default value (if unset), so it could fix itself without change in single line of code.

However just to be sure, perhaps we should set CSRF_COOKIE_SAMESITE in flask config.

session cookie is most likely handled here:

https://gitlab.nic.cz/turris/reforis/reforis/-/blob/master/reforis/sessions/sessions.py#L122

However flask-session does not support sameSite, so we should probably patch our version of flask-session or use some fork, where it is fixed.

Edited Mar 18, 2021 by Martin Matějek

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Some cookies are misusing the recommended “sameSite“ attribute