Samesite on Firefox 96

Samesite on Firefox 96

Napisane przez: David Moreno Montero ()
Liczba odpowiedzi: 4

Hi,

after the rollout of Firefox 96, using moodle in an iframe stopped working for us because of samesite changes [1] [2]. I had to change lib/classes/session/manager.php:635 (should_use_samesite_none()) to always return true.

Do anybody know if it breaks on older browsers or Safari? Or is it a good default from now on?


[1] https://www.mozilla.org/en-US/firefox/96.0/releasenotes/

[2] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/


Średnia ocen:Useful (3)
W odpowiedzi na David Moreno Montero

Re: Samesite on Firefox 96

Napisane przez: Liam Moran ()

I'm surprised this issue is causing so little discussion. Several of our mission critical LTI applications have stopped working at the start of the term with the Firefox 96 rollout. The solution you suggest here is for servers running PHP older than 7.3, right?

As far as I can tell, the issue is that the remote servers are providing an underspecified set-cookie header without explicitly declaring a samesite: none policy, but I put a pause on wrapping my head around it once it looked like something that needs to be fixed on the LTI provider instead of the LMS.

Średnia ocen: -
W odpowiedzi na David Moreno Montero

Re: Samesite on Firefox 96

Napisane przez: Eric Phetteplace ()
We're also seeing this problem. Rather than returning true for all browser versions, what exactly should the conditional in should_use_samesite_none be? The comment in that function implies that some browser versions do not support SameSite=None so it seems like always returning true will cause some problems as it fixes others.
This is my guess on how the function should be patched but I'd love feedback:

private static function should_use_samesite_none(): bool {
        // We only want None or no attribute at this point. When we have cookie handling compatible with Lax,
        // we can look at checking a setting.

        // Browser support for none is not consistent yet. There are known issues with Safari, and IE11.
        // Things are stablising, however as they're not stable yet we will deal specifically with the version of chrome
        // that introduces a default of lax, setting it to none for the current version of chrome (2 releases before the change).
        // We also check you are using secure cookies and HTTPS because if you are not running over HTTPS
        // then setting SameSite=None will cause your session cookie to be rejected.
        if ((\core_useragent::check_browser_version('Chrome', '78') || \core_useragent::check_browser_version('Firefox', '96')) && is_moodle_cookie_secure()) {
            return true;
        }
        return false;
    }
Also, an aside, that function's documentation says it returns a string when you can even see from its signature it returns a boolean.
Średnia ocen: -
W odpowiedzi na David Moreno Montero

Re: Samesite on Firefox 96

Napisane przez: Liam Moran ()
Does this help: https://moodle.org/mod/forum/discuss.php?d=431031

It sounds like you're embedding moodle into another LMS: based on that patch in 3.9.9, I think you may need to make a fix on the platform that Moodle is embedding into.
Średnia ocen: -
W odpowiedzi na Liam Moran

Re: Samesite on Firefox 96

Napisane przez: Eric Phetteplace ()
We're not embedding Moodle into another LMS (which...if you're doing that...wow I do not envy you), it's the inverse: the problem occurs with LTIs that need to authenticate and embed something within Moodle. We're seeing the problem with VoiceThread and Panopto specifically. We are on Moodle 3.10.4 so we have the patch from that bug report (which was reported by someone at VoiceThread, incidentally) and yet the problem still occurs.
Średnia ocen: -