[gear] Make csrf cookie samesite=strict #14180
Conversation
| @@ -98,6 +96,5 @@ async def render_template( | |||
| context['csrf_token'] = csrf_token | |||
|
|
|||
| response = aiohttp_jinja2.render_template(file, request, context) | |||
| domain = cookie_domain or deploy_config._domain | |||
| response.set_cookie('_csrf', csrf_token, domain=domain, secure=True, httponly=True) | |||
| response.set_cookie('_csrf', csrf_token, secure=True, httponly=True, samesite='strict') | |||
There was a problem hiding this comment.
Hmm. I feel like I'm now a bit confused about our previous conversation.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#strict
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
It sounds like Strict is necessary for CSRF to work: otherwise I could put this on an evil website (excuse my totally invented HTML, I didn't bother to look up the right syntax and attribute names) and trick people into cancelling their batches, right?
<form method="POST" url="https://batch.hail.is/batches/123/cancel">
<button>
</form>
In particular, do we have any CSRF protection at all right now?
I agree we should remove the domain attribute:
Only the current domain can be set as the value, or a domain of a higher order, unless it is a public suffix. Setting the domain will make the cookie available to it, as well as to all its subdomains.
If omitted, this attribute defaults to the host of the current document URL, not including subdomains.
There was a problem hiding this comment.
The server compares the cookie value to a value in the request (hidden value in the form), which means that in order to create a malicious form the evil site would need to know the value of the cookie which it can't because it is not the same origin (assuming they have not achieved the ability to set a cookie on our domain in which case signing our cookies would help)
Currently, the
_csrfcookie is made available to all subdomains of.hail.is. This means that if I first visitbatch.hail.isI get a_csrfcookie set for.hail.is. That cookie is then reused if I visitci.hail.is. Even more awkward, the same value of the cookie will get reused if I then visitbatch.azure.hail.is. This isn't that big of a deal, these can all be considered part of the same application that the hail team delivers and secures, but it is very little work to set stricter bounds on where this cookie is sent. By removing thedomainattribute and usingsamesite='strict', the cookie's domain will be set by the browser to the domain of the request whose response included theSet-Cookieheader, e.g.batch.hail.isorinternal.hail.is.Strictmode then ensures that the cookie will only be sent to that exact domain, meaning that each application is guaranteed to receive the_csrftoken that it itself delivered, and a_csrftoken from CI cannot be used to take actions against Batch.This should not have an adverse impact on existing users' browser sessions. In
render_templatewe preserve the value of an existing_csrfcookie so this change should do the following:.hail.is)_csrfcookieSet-Cookieheader with a new_csrfcookie for strictly thebatch.hail.isdomain but with the same token value as the original_csrfcookie