-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove cookies from Clear-Site-Data Header #11847
Remove cookies from Clear-Site-Data Header #11847
Conversation
In 2f87fb6 this header was introduced. The referenced documentation says: > When delivered with a response from https://example.com/clear, the following header will cause cookies associated with the origin https://example.com to be cleared, as well as cookies on any origin in the same registered domain (e.g. https://www.example.com/ and https://more.subdomains.example.com/). This also applies if `https://nextcloud.example.com/` sends the `Clear-Site-Data: "cookies"` header. This is not the behavior we want at this point! So I removed the deletion of cookies from the header. This has no effect on the logout process as this header is supported only recently and the logout works in old browsers as well. Signed-off-by: Patrick Conrad <conrad@iza.org>
Hi, is there a reason why a test that has nothing to do with my changes fails? Best, |
This fix is really good. The problem described has a big impact of users. I administer multiple Nextcloud instances, when users log out from the Nextcloud web interface they are log out from every other service which shares the same domain name. That affects email (webclient) and other webapps, the users needs to re-login in every service, which is time consuming. In my opinion Nextcloud should not affect other tabs or services. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested and works 👍
CI failure unrelated |
@iPaat Could I ask you to open a backport pull request? Basically check out |
Thanks a lot for your contribution. And maybe have a look at the "good first issue" labeled issues ;) https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
In 2f87fb6 this header was introduced. The referenced documentation says:
This also applies if
https://nextcloud.example.com/
sends theClear-Site-Data: "cookies"
header.This is not the behavior we want at this point!
So I removed the deletion of cookies from the header. This has no effect on the logout process as this header is supported only recently and the logout works in old browsers as well.
Fix #9010