ServerEvents & Cookies: SameSite

Drammy · February 14, 2022, 7:51am

Hi,

I’ve noticed that when our Angular webapp subscribes to server events in Chrome I get a SameSite warning which we don’t get if the app doesn’t subscribe to serverevents.

Can anyone explain what we need to do to get around this potential problem?

mythz · February 14, 2022, 8:03am

What are the full returned raw HTTP Headers with the cookies? and what are the actual warnings about it from Chrome?

Drammy · February 14, 2022, 8:31am

Hi @mythz

Here are the response headers (running under http whilst debugging):

HTTP/1.1 200 OK
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: text/event-stream
Vary: Accept
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Origin: http://localhost:4200
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Date: Mon, 14 Feb 2022 08:25:52 GMT

Chrome provides this detail in its ‘Issues’ tab (bottom of the Console page):

Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute

  1. Because a cookie’s  `SameSite`  attribute was not set or is invalid, it defaults to  `SameSite=Lax` , which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie:

    * Specify  `SameSite=None`  and  `Secure`  if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the  `Secure`  attribute.
    * Specify  `SameSite=Strict`  or  `SameSite=Lax`  if the cookie should not be set by cross-site requests.

  2. AFFECTED RESOURCES

    1. 2 cookies

    2. 1 request

      1. event-unregister?id=9qNZtAEB5gSDnzZtlT47

  3. * Learn more: SameSite cookies explained

mythz · February 14, 2022, 8:36am

This HTTP Header doesn’t contain any Cookie or Set-Cookie instructions?

Anyway you can specify to use SameSite=Strict cookies with:

SetConfig(new HostConfig {
    UseSameSiteCookies = true
})

The default is SameSite=Lax, changing to UseSameSiteCookies=false sets cookies with SameSite=None.

Drammy · February 14, 2022, 8:41am

I tried that but it had no effect and I don’t get the warning at all if I don’t subscribe to server events.

One thing that is puzzling me is the Chrome issue refers to ‘event-unregister?id=blah’ yet I can’t see that request in Chromes’ network history.