Comments (16)
We are aiming to do a 3.1 release within the next two months.
The absence of support for the Partitioned cookie attribute poses significant security risks and could lead to compliance issues. Can we prioritize its release to mitigate these risks ASAP?
from rack.
As a workaround for earlier versions of rack
where this won't be backported, it looks possible to add the Partitioned
attribute to SameSite=None
cookies.
$ cat ./config/initializers/partitioned_cookies.rb
# frozen_string_literal: true
class PartitionedCookies
def initialize(app)
@app = app
end
def call(env)
status, headers, body = @app.call(env)
set_cookie_header = headers["Set-Cookie"]
if set_cookie_header && set_cookie_header =~ /SameSite=None/
headers["Set-Cookie"].gsub!("SameSite=None", "SameSite=None; Partitioned;")
end
[status, headers, body]
end
end
Rails.application.config.middleware.insert_before(ActionDispatch::Cookies, PartitionedCookies)
Inspired from this post. Hope this helps!
from rack.
We do have the same issue, and chrome is going to deprecate third-party cookies for 1% of Chrome users globally starting Q1 2024
https://privacysandbox.com/open-web/#the-privacy-sandbox-timeline
https://developers.google.com/privacy-sandbox/3pcd
from rack.
I am not. I'm on the rack core team, but I'm not an owner of the rack gem. The core team needs to review other existing pull requests before deciding which to merge before 3.1.
from rack.
Thanks for bringing this to our attention. It seems reasonable to me. Do you want to make a PR?
from rack.
Sure! Just submitted #2131
The PR raises an error if the secure
attribute is not also set alongside partitioned
. This requirement is mentioned in the Chrome docs and the official proposal . Requirements about other attributes is not very clear or doesn't appear set in stone, so I thought it would be good to just enforce the secure
one.
from rack.
Thanks for doing that, @flavio-b.
We have similar request and wondering the timeline for the next release, and if any plan to backport this to previous release (we are still on Rack 2)
from rack.
I don't think we should backport this to either Rack 3.0 or 2.2. We should only be backporting security fixes to Rack 2.2, and only bug and security fixes to Rack 3.0. However, other committers may feel differently.
from rack.
Pragmatically speaking, I'd be willing to entertain back-porting this to 3.0, but I basically agree with Jeremy, we should probably try to follow a more predictable model where possible, i.e. only back-port security fixes. Now that Rails 7.1 is released, I think we can start moving towards a Rack 3.1 release. So, maybe that's something we can focus on so this feature is released sooner rather than later.
from rack.
@jeremyevans what would you like to do here?
from rack.
I think we should merge this. However, as it is a new feature and not a bug fix, I don't think we should backport it.
from rack.
@jeremyevans, #2131 has been merged. Are you able to do a 3.1 release as @ioquatix suggested?
from rack.
@jeremyevans any news about this?
from rack.
We are aiming to do a 3.1 release within the next two months.
from rack.
Chrome is phasing out third-party cookies and since Q1 this year, for 1% of the users they're already being blocked.
Given this is already impacting users and partitioned cookies are the drop-in solution, it would be great if this could could be released soon 🙏
from rack.
Related Issues (20)
- Nested parameters parsing error in rack 3.0.8 HOT 22
- Cookie being created with [" prefixed to name versions 3.0 thru 3.0.8 HOT 7
- can't rackup HOT 5
- Rack::Lint::LintError: Status must be >=100 seen as integer HOT 10
- How to manually decode a Rack::Session::Cookie 2023 HOT 1
- 3.0.8 Multipart PATCH requests fail in minitest(Rack::Multipart::EmptyContentError) HOT 2
- HTTP_VERSION vs SERVER_PROTOCOL and Rack::Lint HOT 5
- Spec ambiguity: environment instance HOT 11
- undefined method `[]' for nil:NilClass HOT 1
- Multiple writes to Rack::Response result in incorrect content-length header in Rack 3 HOT 4
- 3.0.9 not visible in releases nor changelog HOT 2
- RACK_INPUT not rewound on form data HOT 2
- Upgrading from rack ~> 2.2 to >= 3.0.0 required me to do a new request.body.rewind before a request.body.read HOT 2
- Rack v2.2.8 release and changelog is missing HOT 2
- how to listen host Loopback HOT 2
- Request for release - EOFError on empty multipart request HOT 6
- Support for zstd in Deflater HOT 5
- Discrepancy in the parsing behavior of Rack::Multipart between versions 1.6 and 2.2 HOT 8
- Deprecation should note how to fix HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rack.