@neunzehnachtneun opened this Issue on May 1st 2019

Hi together,
this is my first issue in this project, so hopefully I do it right.
I would like to request a new feature to improve privacy. At the moment it is possible yet to set the cookie lifetime to a shorter timespan and to set the cookie secure.
I suggest to also set the cookie attributes HttpOnly and SameSite=Strict, so privacy would be improved and cross site request attacks forgery could be prevented.

Thank you!

@fdellwing commented on May 1st 2019 Contributor

As far as I'm aware of every cookie that can be httponly is httponly. Can you show one that is not that way?

@tsteur commented on May 1st 2019 Member

What do you refer to here @neunzehnachtneun ? To the JS tracker? In JS you cannot set a cookie as httponly

@neunzehnachtneun commented on May 2nd 2019

Thank you for answering! Yes, I refer to the JS-Tracker and, yes, you are totally right. I read a bit about javascript and cookies and it's totally useless to set the cookie header to httponly.

But also I read about the cookie header 'samesite=strict', which is possible to use with javascript and which I would like to use with matomo. What do you think about that?

@fdellwing commented on May 2nd 2019 Contributor

While using samesite you need to really take care of your cookie domain or you will run into a hell of a lot of trouble. This is especially important if you use a reverse proxy.

(This does not mean I'm against it, but it might be a breaking change for some people.)

@tsteur commented on May 2nd 2019 Member

You would also need to have matomo running on the very same domain? not even a subdomain? or would a subdomain still work?

@MichaelHeerklotz commented on May 12th 2019 Contributor

samesite is a origin related setting and should be used with caution. it would have effects on the tracked data and most certainly break the 3rd party cookie in in many use cases

Powered by GitHub Issue Mirror