sameSite cookie support #16543
Comments
|
Here is some background info: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ |
|
This seems like a reasonable request. I would say that changes need to go here: https://github.com/angular/angular.js/blob/master/src/ngCookies/cookieWriter.js#L35 |
|
I am a little sceptical, since this is still experimental, there doesn't seem to be an up-to-date spec (only a draft that has expired since 2016) and is only implemented by Chrome (since 2016) and soon Firefox (currently in Firefox beta). This means that users can't really rely on it for protection (since several "mainstream" browsers will ignore it). Using CSRF tokens is a much better/more reliable way of protecting your app against CSRF attacks (afaict). We should at least point it out in the docs. |
|
Thanks so much for getting this merged!
Edge has also announced support now: https://twitter.com/MSEdgeDev/status/997145602474430464 |
Closes angular#16543 Closes angular#16544 Closes angular#16544
I'm submitting a ...
Current behavior:
Right now the angular cookie options support setting domain, expiration, and secure flags, but do not support the
sameSiteflag.Expected / new behavior:
I'd like to request that support be added for the
sameSiteflag - this would help protect against CSRF attacks using cookies created by angular.Minimal reproduction of the problem with instructions:
N/A
AngularJS version: 1.6.11
Browser: [Chrome >= 63 | Firefox >= 60 | Mobile Chrome >= 64]
Pulled via https://caniuse.com/#search=samesite
Anything else:
The text was updated successfully, but these errors were encountered: