Set the cookie SameSite directive to Strict #2296
Labels
maintenance
Ticket related to maintenance that needs to be done
template-update
Tickets that need to be updated using the appropriate issue template
Comments
sandbergja
added
the
maintenance
christinach
added
the
template-update
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Success criteria
Rationale
This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of pulibrary/dacs_handbook#154
Example PR
pulibrary/orangelight#3932
Tradeoff
If a user logs into bibdata, navigates to a non-Princeton Web site (e.g. the indexing documentation in Github), and then clicks a link from that Web site back to bibdata, they will need to log in to bibdata again.
Further reading
I found this from Mozilla, this from Portswigger, and this blog post from Andrew Lock to be helpful in understanding this topic.
The text was updated successfully, but these errors were encountered: