Support for `Partitioned` cookie attribute about rack HOT 16 OPEN

We are aiming to do a 3.1 release within the next two months.

The absence of support for the Partitioned cookie attribute poses significant security risks and could lead to compliance issues. Can we prioritize its release to mitigate these risks ASAP?

from rack.

As a workaround for earlier versions of rack where this won't be backported, it looks possible to add the Partitioned attribute to SameSite=None cookies.

$ cat ./config/initializers/partitioned_cookies.rb
# frozen_string_literal: true

class PartitionedCookies
  def initialize(app)
    @app = app
  end

  def call(env)
    status, headers, body = @app.call(env)

    set_cookie_header = headers["Set-Cookie"]

    if set_cookie_header && set_cookie_header =~ /SameSite=None/
      headers["Set-Cookie"].gsub!("SameSite=None", "SameSite=None; Partitioned;")
    end

    [status, headers, body]
  end
end

Rails.application.config.middleware.insert_before(ActionDispatch::Cookies, PartitionedCookies)

Inspired from this post. Hope this helps!

from rack.

We do have the same issue, and chrome is going to deprecate third-party cookies for 1% of Chrome users globally starting Q1 2024

https://privacysandbox.com/open-web/#the-privacy-sandbox-timeline
https://developers.google.com/privacy-sandbox/3pcd

from rack.

I am not. I'm on the rack core team, but I'm not an owner of the rack gem. The core team needs to review other existing pull requests before deciding which to merge before 3.1.

from rack.

Thanks for bringing this to our attention. It seems reasonable to me. Do you want to make a PR?

from rack.

Sure! Just submitted #2131

The PR raises an error if the secure attribute is not also set alongside partitioned. This requirement is mentioned in the Chrome docs and the official proposal . Requirements about other attributes is not very clear or doesn't appear set in stone, so I thought it would be good to just enforce the secure one.

from rack.

Thanks for doing that, @flavio-b.

We have similar request and wondering the timeline for the next release, and if any plan to backport this to previous release (we are still on Rack 2)

from rack.

I don't think we should backport this to either Rack 3.0 or 2.2. We should only be backporting security fixes to Rack 2.2, and only bug and security fixes to Rack 3.0. However, other committers may feel differently.

from rack.

Pragmatically speaking, I'd be willing to entertain back-porting this to 3.0, but I basically agree with Jeremy, we should probably try to follow a more predictable model where possible, i.e. only back-port security fixes. Now that Rails 7.1 is released, I think we can start moving towards a Rack 3.1 release. So, maybe that's something we can focus on so this feature is released sooner rather than later.

from rack.

@jeremyevans what would you like to do here?

from rack.

I think we should merge this. However, as it is a new feature and not a bug fix, I don't think we should backport it.

from rack.

@jeremyevans, #2131 has been merged. Are you able to do a 3.1 release as @ioquatix suggested?

from rack.

@jeremyevans any news about this?

from rack.

We are aiming to do a 3.1 release within the next two months.

from rack.

Chrome is phasing out third-party cookies and since Q1 this year, for 1% of the users they're already being blocked.
Given this is already impacting users and partitioned cookies are the drop-in solution, it would be great if this could could be released soon 🙏

from rack.