Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set samesite=lax on session cookies #3221

Closed
alex opened this issue Mar 11, 2018 · 5 comments · Fixed by #3600
Closed

Set samesite=lax on session cookies #3221

alex opened this issue Mar 11, 2018 · 5 comments · Fixed by #3600
Labels
feature request

Comments

@alex
Copy link
Member

alex commented Mar 11, 2018

This is a strong defense-in-depth mechanism for protecting against CSRF. It's currently only respected by Chrome, but Firefox will add it as well.
@alex
Copy link
Member Author

alex commented Mar 11, 2018

This may be blocked on Pylons/pyramid#2733

@brainwane brainwane added feature request requires triaging maintainers need to do initial inspection of issue needs discussion a product management/policy issue maintainers and users should discuss labels Mar 12, 2018
@brainwane brainwane added blocked Issues we can't or shouldn't get to yet and removed needs discussion a product management/policy issue maintainers and users should discuss requires triaging maintainers need to do initial inspection of issue labels Mar 20, 2018
@brainwane
Copy link
Contributor

Thanks, @alex.

Yeah, after Pyramid supports this, Warehouse should add it.

@alex
Copy link
Member Author

alex commented Mar 20, 2018

I think we're blocked on a WebOb release, not pyramid support.

@di
Copy link
Member

di commented Apr 5, 2018

I think this is unblocked now that #3554 has been merged.

@di di removed the blocked Issues we can't or shouldn't get to yet label Apr 5, 2018
alex added a commit that referenced this issue Apr 5, 2018
@alex
fixes #3221 -- mark session cookies as samesite
ba7b962
@dstufft dstufft closed this as completed in e427a20 Apr 6, 2018
di added a commit to di/warehouse that referenced this issue Apr 10, 2018
@di
Revert "fixes pypi#3221 -- mark session cookies as samesite (pypi#3568)"
6081221 
This reverts commit e427a20.
di added a commit that referenced this issue Apr 10, 2018
@di
Downgrade webob to 1.7.4 (#3598)
f386666 
* Revert "fixes #3221 -- mark session cookies as samesite (#3568)"

This reverts commit e427a20.

* Revert "Update webob to 1.8.0 (#3554)"

This reverts commit e3548b3.
@di
Copy link
Member

di commented Apr 10, 2018

Temporarily reopened due to #3598.

@di di reopened this Apr 10, 2018
@di di mentioned this issue Apr 10, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Revert "Downgrade webob to 1.7.4 (#3598)" pypi/warehouse
3 participants
@alex @di @brainwane