git.stricted.de - GitHub/WoltLab/WCF.git/commit

author	Tim Düsterhus <duesterhus@woltlab.com>
	Wed, 10 May 2023 13:25:38 +0000 (15:25 +0200)
committer	Tim Düsterhus <duesterhus@woltlab.com>
	Thu, 15 Jun 2023 13:15:38 +0000 (15:15 +0200)
commit	d55814c60f67a1325457499e83e9e377d973cd1e
tree	4a8b7e1837e30d9eecc74c9e36f63317c06329eb	tree \| snapshot (tar.gz zip)
parent	1f024ca4da028eb05ff4eaa93c7678dd91658d15	commit \| diff

Drop the SameSite attribute from the XSRF-Token cookie to work around WebKit Bug 255524

It appears that Safari 16.4+ sometimes loses SameSite cookies without explicit
expiry when performing subrequests, e.g. to load JavaScript or when using
`fetch()`. The conditions apply to the XSRF-Token cookie. Now if one of the
subrequests hits the application, the application will hand out a fresh
XSRF-Token cookie, due to the cookie being missing. This results in spurious
changes of the XSRF-Token and thus error messages for the user.

According to comments in the WebKit Bug a workaround for the issue is not
providing a SameSite attribute at all and we leverage this workaround for the
time being: The SameSite attribute on the XSRF-Token cookie is a defense in
depth measure.

see https://bugs.webkit.org/show_bug.cgi?id=255524
see https://www.woltlab.com/community/thread/299769-fehlerhafter-xsrf-token/

(cherry picked from commit 832de3617df81b357430f8d99527dc34efd277a7)