Skip to content

Cookies: set samesite: Lax by default #8304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 10, 2021
Merged

Cookies: set samesite: Lax by default #8304

merged 7 commits into from
Aug 10, 2021
+51 −43

Conversation

stsewd
Copy link
Member

@stsewd stsewd commented Jun 30, 2021
edited
Loading

The django's default is Lax, so I'm removing the setting.
I'm overriding only for .org in our ops repos.

We also are only allowing cross site requests
from public versions only.
Even if the domain is known,
if the version is private we don't set the CORS header.

Note: this is just to add another layer of security to our resources.

@stsewd stsewd marked this pull request as draft June 30, 2021 18:39
@stsewd stsewd force-pushed the use-default-same-site branch 2 times, most recently from b622fdf to b1d47e4 Compare June 30, 2021 19:30
@stsewd
Cookies: set samesite: Lax by default
693551f 
The django's default is `Lax`, so I'm removing the setting.
I'm overriding only for .org in our ops repos.

We also are only allowing cross site requests
from public versions only.
Even if the domain is known,
if the version is private we don't set the CORS header.
@stsewd stsewd force-pushed the use-default-same-site branch from b1d47e4 to 693551f Compare June 30, 2021 19:31
@stsewd stsewd marked this pull request as ready for review June 30, 2021 19:32
stsewd
stsewd commented Jun 30, 2021
View reviewed changes
@stsewd stsewd requested a review from a team June 30, 2021 22:56
humitos
humitos approved these changes Jul 1, 2021
View reviewed changes
@stsewd
Copy link
Member Author

stsewd commented Aug 3, 2021

I have made this value depend on use_promos, so no changes on the ops repo are required. I think we still need readthedocs/sphinx-hoverxref#134 so people with private projects can use the extension more easily, but isn't required.

ericholscher
ericholscher reviewed Aug 4, 2021
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks close -- I feel like the search docs changes are a bit half-baked and need some more thought though. We probably need to at least some larger explanation of the proxied API's, instead of just halfway explaining them.

docs/server-side-search.rst
Search is exposed through our API that's proxied from the domain where your docs are being served.
This is ``https://docs.readthedocs.io/_/api/v2/search`` for the ``docs`` project, for example.
If you are using :doc:`/commercial/index` you will need to replace
https://readthedocs.org/ with https://readthedocs.com/ in all the URLs used in the following examples.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be under it's own section, probably Read the Docs for Business Users or similar

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is describing the API and examples, not sure if I follow about having another section

Copy link
Member

@ericholscher ericholscher Aug 9, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like, we need a section of the docs explaining the 2 different sites and endpoints (and auth, etc.), and then probably link to it from here for more detail.

docs/server-side-search.rst Outdated
@@ -194,3 +194,7 @@ If you are using :ref:`private versions <versions:privacy levels>`,
users will only be allowed to search projects they have permissions over.
Authentication and authorization is done using the current session,
or any of the valid :doc:`sharing methods </commercial/sharing>`.

Cookie sessions can be used only from the same domain as the API,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be explained more. What is the takeaway for a user? When should they use this URL instead?

Presumably this should use a readthedocs.com example, where it's most necessary.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be explained more. What is the takeaway for a user? When should they use this URL instead?

This is under the "Authentication and authorization" section of this doc, the paragraph above explains this is for private versions. I have changed this paragraph to avoid mentioning cookies.

ericholscher
ericholscher approved these changes Aug 9, 2021
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we definitely have some room to improve the docs here, but I think we don't need to block this change on that. 👍

@stsewd stsewd merged commit 188798c into master Aug 10, 2021
@stsewd stsewd deleted the use-default-same-site branch August 10, 2021 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericholscher ericholscher ericholscher approved these changes

@humitos humitos humitos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stsewd @ericholscher @humitos