Question: Modify SameSite cookie policy

[AustinGil]

Hi. With a recent release of Google Chrome, the browser will change how they apply the default value to the SameSite cookie policy. I'm wondering if there is an easy way to configure this in Cytomine as we would like to set out policy to lax rather than the default.

Any tips on this would be appreciated.

More on SameSite cookie policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

[geektortoise]

Hello,

Thanks for pointing that out.

A quick way is to add the cookie policy at the reverse proxy level

https://github.com/cytomine/Cytomine-bootstrap/blob/master/configs/nginx/nginx.conf.sample#L62

                location /j_spring_security {
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Host $host;
                        proxy_pass http://core:8080;
                        proxy_cookie_path / "/; HttpOnly; SameSite=lax";
                }

I will try to add it at the backend level.

[AustinGil]

Looking at making a PR for this. Do you have a preference on how to approach it? Im guessing we dont want to hard code a policy in there. Maybe add an option in the config file?