Make all HTTPS cookies set SameSite to none
Some users reported being logged out quite frequently, and we suspect a change in Chrome caused this. Chrome v80, rolled out in March 2020, treats any cookies without the SameSite directive set as though they are SameSite=Lax (https://www.chromestatus.com/feature/5088147346030592). This is a breaking change from the previous default behavior, which was to treat those cookies as SameSite=None. To fix this, we add a middleware that tags all cookies with the Secure and SameSite=None headers. This middleware is needed until we upgrade to Rack v2.1.0+ (https://github.com/rack/rack/commit/c859bbf7b53cb59df1837612a8c330dfb4147392) and a version of Rails that has native support (https://github.com/rails/rails/commit/7ccaa125ba396d418aad1b217b63653d06044680). Closes https://gitlab.com/gitlab-org/gitlab/-/issues/212551
显示
- changelogs/unreleased/andr3-rails-session-samesite-strict.yml 5 个添加, 0 个删除...gelogs/unreleased/andr3-rails-session-samesite-strict.yml
- config/application.rb 3 个添加, 0 个删除config/application.rb
- lib/gitlab/middleware/same_site_cookies.rb 63 个添加, 0 个删除lib/gitlab/middleware/same_site_cookies.rb
- spec/lib/gitlab/middleware/same_site_cookies_spec.rb 107 个添加, 0 个删除spec/lib/gitlab/middleware/same_site_cookies_spec.rb
加载中
想要评论请 注册 或 登录