-
This change introduces a new security option for setting the SameSite option to all cookies sent by TYPO3 Core. Namely: - Frontend User Sessions ("lax" by default) - Backend User Sessions ("strict" by default) - Install Tool Sessions ("strict", none-configurable) - Last Login Provider in Backend ("strict", non-configurable) - ext:rsaauth via native session handling (“strict”, non-configurable) - workspace preview "ADMCMD_prev" using backend user setting ("strict" by default) This means that these can only be accessed by scripts and requests by the same site, and not by any third-party scripts. Since we're talking about actual cookies for a user, and not ads-related or third-party login-dependant cookies, the default options fit just perfectly. All modern browsers except Internet Explorer respect this option to be set. Please note that Firefox and Chrome will have "SameSite=lax" set in Q1/2020 by default if NO SameSite option is set at all. This change allows to configure this. Backend and Frontend User Cookies can be configured to "strict", "lax" or "none" (= same as before), whereas "none" only works for secure connections (= HTTPS). If "strict" is in place, security via CSRF is not needed anymore, and can be dropped in the future. Resolves: #90351 Releases: master, 9.5, 8.7 Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214 Tested-by:TYPO3com <noreply@typo3.com> Tested-by:
Susanne Moog <look@susi.dev> Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
2f415eae
Analyzing file…