Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use appropriate SameSite values for cookies #15185

Merged
merged 5 commits into from Dec 12, 2019
Merged

Use appropriate SameSite values for cookies #15185

merged 5 commits into from Dec 12, 2019

Conversation

katebutler
Copy link

Part of #14395

tsteur
tsteur reviewed Nov 24, 2019
View reviewed changes
core/Cookie.php Outdated Show resolved Hide resolved
@tsteur
Copy link
Member

tsteur commented Dec 7, 2019

@Findus23 @MichaelHeerklotz any chance you could give this PR a test as well?

tsteur
tsteur requested changes Dec 10, 2019
View reviewed changes
core/Cookie.php Outdated
*/
private static function getSameSiteValueForBrowser($default)
{
$sameSite = ucfirst($default);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just fyi might be good to use ucfirst(strtolower($default))? Just in case...

core/Cookie.php Outdated
@@ -153,7 +156,8 @@ protected function setCookie($Name, $Value, $Expires, $Path = '', $Domain = '',
. (empty($Path) ? '' : '; path=' . $Path)
. (empty($Domain) ? '' : '; domain=' . $Domain)
. (!$Secure ? '' : '; secure')
. (!$HTTPOnly ? '' : '; HttpOnly');
. (!$HTTPOnly ? '' : '; HttpOnly')
. (!$sameSite ? '' : '; SameSite=' . $sameSite);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to be safe we maybe want to rawurlencode the samesite value... and just to be safe maybe also domain and path even though they are values coming from our system?

core/Tracker/IgnoreCookie.php Outdated
@@ -61,7 +61,7 @@ public static function setIgnoreCookie()
$ignoreCookie->delete();
} else {
$ignoreCookie->set('ignore', '*');
$ignoreCookie->save();
$ignoreCookie->save('None');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we move this for now into this PR that handles the opt out? https://github.com/matomo-org/matomo/pull/15184/files

@tsteur tsteur added this to the 3.13.1 milestone Dec 12, 2019
@katebutler katebutler added the Needs Review PRs that need a code review label Dec 12, 2019
@tsteur tsteur merged commit 109926d into 3.x-dev Dec 12, 2019
@tsteur tsteur deleted the 14395-cookies branch December 12, 2019 21:12
@MichaelRoosz MichaelRoosz mentioned this pull request Jun 18, 2020
Merged
jonasgrilleres pushed a commit to 1024pix/pix-analytics that referenced this pull request Sep 22, 2020
@jonasgrilleres
Use appropriate SameSite values for cookies (matomo-org#15185)
21fde99
jbuget pushed a commit to 1024pix/pix-analytics that referenced this pull request Sep 26, 2020
@jbuget
Use appropriate SameSite values for cookies (matomo-org#15185)
8ab9b0e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur requested changes

Assignees
No one assigned
Labels
Needs Review PRs that need a code review
Projects
None yet
Milestone
3.13.1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@katebutler @tsteur