This repository has been archived by the owner on Jan 24, 2023. It is now read-only.
Review JWT Cookie's SameSite value for authenticating users from 3rd-party sites
#2042
Assignees
Labels
question
Further information is requested
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Overview
Currently, if a website is using DNSLink or a Handshake TLD, requests to a webportal will not include the user's JWT cookies, and will not allow them to interact with Skynet with their account.
This can be changed by setting the
SameSiteattribute of the cookie to=Nonewhen it's set by the portal, but we need to assess the security implications. Mostly I think we're looking at Cross-site request forgery (CSRF) attacks, which we should already be protected against, since we're running untrusted code at subdomains that can make requests that include these cookies already.Additionally, we need to confirm that this change makes sense for our roadmap if the Kernel will also be enabling this functionality. Since changing this value to "None" will also require setting the
Secureflag, we should be sure that Kernel interaction will be happy to handlehttpstraffic, especially if it will make use of JWT cookies over API Keys when authenticating with webportals.Lastly, we probably should keep in mind this can reveal info that might be a privacy concern. A skapp could easily see if you're logged into another portal and know that you have an account there by seeing what HTTP status code was returned on a simple request. Because no permissions are needed, they could pin files to your account using any other portal.
Applications
Aside from loading assets from a site like
homescreen.org, this is also an issue forskynet-jsinteraction from a non-portal domain, but also cross-portal (if an app like Rift wanted to be multi-portal).I could also see this being very useful in iframe contexts.
Because of
Secureflag, redsolver's localhost proxy might have issues here. He is already requesting support for http-friendlyskynet-js.References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
https://web.dev/samesite-cookies-explained/
If the JWT is overly permissive, perhaps we should consider another cookie that restricted permissions but allows cross-site access to certain functionality, as described here.
The text was updated successfully, but these errors were encountered: