Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use SameSite none for session token when embedded into iframe #15439

Merged
merged 1 commit into from Jan 29, 2020
Merged

Use SameSite none for session token when embedded into iframe #15439

merged 1 commit into from Jan 29, 2020

Conversation

tsteur
Copy link
Member

@tsteur tsteur commented Jan 23, 2020

fix #15414

Worked for me after enabling embed framed pages. It was setting the None as SameSite though instead of Lax and I was able to view reports within the frame etc.

Used this:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<iframe width="100%" height="600" src="https://example.com/index.php?module=Login&action=logme&login=root&password=TOKEN"></iframe>

</body>
</html>

@tsteur tsteur added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels Jan 23, 2020
@tsteur tsteur added this to the 3.13.2 milestone Jan 23, 2020
@dm577
Copy link

dm577 commented Jan 23, 2020

Can this be tested on Chrome 80 with the "Samesite by default cookies" and "Cookies without Samesite must be secure" flags set as enabled? That is what the default behavior will be when Chrome 80 is launched on Feb 4 and if a cookie is set with SameSite=none without being marked as Secure, it will be blocked.

@diosmosis
Copy link
Member

Works for me after loading on demo2, both w/ and without the settings mentioned by @dm577

@diosmosis diosmosis merged commit 162513d into 3.x-dev Jan 29, 2020
@diosmosis diosmosis deleted the 15414 branch January 29, 2020 01:16
sgiehl added a commit that referenced this pull request Feb 11, 2020
@sgiehl @mattab
@tsteur @PeterUpfold @diosmosis @Findus23
Merge branch 3.x-dev into 4.x-dev (#15543)
5d2dab7 
* Updates search engine and social definitions (#15384)

* updates device detector to latest release (#15388)

* updates device detector to latest release

* updates tests

* translation update (#15389)

* Fix Could not get the lock for ID, when creating a site (#15401)

* Lock key start

* do not empty key lock

Co-authored-by: Thomas Steur <tsteur@users.noreply.github.com>

* 3.13.1

* submodule updates

* Use correct name in update available message (#15423)

* Fix removing user capabilities (#15422)

* Order of implode() args, avoid E_NOTICE in PHP7.4 (#15428)

* Fixes possible php warning in visitor log (#15442)

* silence is_executable call (#15446)

* Make sure geolocation admin experience is consistent if user is not using GeoIp2 plugin. (#15447)

* Fix referrers test. (#15448)

* Ensure to close visitor popover correctly (#15443)

* Fixes possible warning (#15453)

* Forward instance_id from local config when reseting config during tests. (#15445)

* Add event that allows plugins to disable archiving for certain periods/sites if they want. (#15457)

* Add event that allows plugins to disable archiving for certain periods/sites if they want.

* apply review feedback

* Fix possible warning for columns without index (#15467)

* Day range archiving issue (#15462)

* Improve lock ID check for max length (#15407)

Better patch for #15401 which was merged last minute...

This way it always works even when someone calls `acquireLock` directly instead of `execute`

Pushing this for now into 3.x-dev but can also put it into 4.x-dev directly but then there might be merge conflicts when merging 3.x-dev into 4.x-dev

* Use SameSite none for session token when embedded into iframe (#15439)

* Make sure tracking works in IE9 and lower (#15480)

* Mention Joomla install FAQ (#15481)

* Make sparklines work when mbstring extension is not installed (#15489)

1) Too few arguments to function mb_strtolower(), 1 passed in matomo/vendor/davaxi/sparkline/src/Sparkline/StyleTrait.php on line 129 and exactly 2 expected

2) mb_strlen is not defined

* update screenshots (#15488)

* 3.13.2-rc1

* Use safemode when running CLI commands (#15472)

* update icons submodule (#15490)

* update icons submodule

* update UI tests

* Fix possible undefined index notice (#15502)

* Use latest davaxi/sparkline release (#15464)

* translation update

* submodule updates

* Fix deprecation notice (#15530)

see #15467 (comment)

* 3.13.2-rc2

* update cache component (#15536)

*  fixes copy dashboard to user for more than 100 users (#15538)

cherry picking  #15424  to fix #15420 in 3.x-dev

* Add missing return statement. (#15539)

* 3.13.2

* update tests

* update tests

Co-authored-by: Matthieu Aubry <mattab@users.noreply.github.com>
Co-authored-by: Thomas Steur <tsteur@users.noreply.github.com>
Co-authored-by: Peter Upfold <pgithub@upfold.org.uk>
Co-authored-by: diosmosis <diosmosis@users.noreply.github.com>
Co-authored-by: Lukas Winkler <github@lw1.at>
jonasgrilleres pushed a commit to 1024pix/pix-analytics that referenced this pull request Sep 22, 2020
@tsteur @jonasgrilleres
Use SameSite none for session token when embedded into iframe (matomo…
ae6d6ce 
…-org#15439)
jbuget pushed a commit to 1024pix/pix-analytics that referenced this pull request Sep 26, 2020
@tsteur @jbuget
Use SameSite none for session token when embedded into iframe (matomo…
705b89a 
…-org#15439)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
3.13.2
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tsteur @dm577 @diosmosis