Bug 64077 - Support SameSite, Secure and httpOnly parameter
Summary: Support SameSite, Secure and httpOnly parameter
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_usertrack (show other bugs)
Version: 2.4.41
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-15 16:04 UTC by prashant keshvani
Modified: 2020-01-22 20:03 UTC (History)
0 users



Attachments
Patch for same (3.47 KB, patch)
2020-01-15 16:25 UTC, prashant keshvani
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description prashant keshvani 2020-01-15 16:04:28 UTC
Hello there, because Chrome 80 would treat all cookie which does not mention SameSite=None as Lax Cookie, I am afraid mod_usertrack cookie cannot be used as a third party cookie. 

1) Configure a httpd virtualhost/server which has mod_usertrack available. lets call it foobar.com . put a small image, let's say img1.png so that it could be accessible like foobar.com/img1.png

2) access foobar.com/img1.png. Make sure in browser that appropriate tracking cookie has been set. 
 
3) Configure another httpd virtualhost/server, say bazbar.com, which has a page called test.html, containing reference to foobar.com/img1.png 

4) While accessing bazbar.com/test.html, Chrome would put warning saying mod_usertrack cookie is set without SameSite attribute, and From Chrome 80, it will be treated as Lax cookie, unless explicitly marked as SameSite=None

More info
https://www.chromestatus.com/feature/5088147346030592
https://www.chromestatus.com/feature/5633521622188032
Comment 1 prashant keshvani 2020-01-15 16:25:48 UTC
Created attachment 36965 [details]
Patch for same
Comment 2 prashant keshvani 2020-01-15 16:26:10 UTC
Submitted patch :)
Comment 3 Eric Covener 2020-01-15 16:33:51 UTC
Thanks Prashant. Do you think we need a backdoor per-request environment variable to avoid adding the parm for intolerant browsers?  We don't need to calculate it, just check if some usertrack-no-samesite is present in subprocess_env table? You can see examples in mod_deflate of how no-gzip is checked.
Comment 4 prashant keshvani 2020-01-22 20:03:33 UTC
(In reply to Eric Covener from comment #3)
> Thanks Prashant. Do you think we need a backdoor per-request environment
> variable to avoid adding the parm for intolerant browsers?  We don't need to
> calculate it, just check if some usertrack-no-samesite is present in
> subprocess_env table? You can see examples in mod_deflate of how no-gzip is
> checked.

Hello Eric ! 
Got your point, buy me sometime to work on this, and I will get back to you, 
thanks !