Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Missing SameSite header in CDN

See original GitHub issue

Describe the bug

All the modern browsers have started to enforce the SameSite header for security reasons. Previously, None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

FCC doesn’t specify the SameSite header and the current browsers default to None but in the near future this will change. Browsers in the near future will default to Lax, so to ensure the expected behaviour, we need to add the SameSite header with the Secure header.

To Reproduce Steps to reproduce the behavior:

Open any page or resurce that uses the CDN
Open the console (in Chrome) and see the warning

Expected behavior

The expected behaviour is to see no warning and the CDN should work as normal.

Screenshots

Here’s a screenshot of the warning ->

Capture

Desktop (please complete the following information):

OS: Windows 10 (64 Bit)
Browser: Chrome
Version: 83.0.4103.61 (Official Build) (64-bit)

Issue Analytics

State:
Created 3 years ago
Comments:17 (16 by maintainers)

Top GitHub Comments

1reaction

raisedadeadcommented, Jun 6, 2020

Hi @Twaha-Rahman

Thanks a lot for the report.

Please note while we are scincerely grateful for the report and the PR. We highly recommend reporting security issues to our dedicated email for these. You would have been presented with this template when opening an issue:

This gives us a chance to brace ourselves quickly 😃

I have left review comments on the PR.

Is there a quick way of auditing the site to see if any other resources need this header specifying?

Yes, we would have public deploy-previews. It would not be matched to the domain though.

0reactions

Twaha-Rahmancommented, Jun 7, 2020

Shouldn’t the warning appear in any site that uses the CDN? From my understanding, the CDN is missing header which show the warning. So, any FCC site (even the Test Suite) will show the warning cause it uses the CDN