1. 10 Aug, 2021 4 commits
  2. 06 Aug, 2021 1 commit
  3. 13 Jul, 2021 1 commit
  4. 30 Jun, 2021 1 commit
  5. 10 Feb, 2021 1 commit
  6. 17 Nov, 2020 1 commit
  7. 07 Nov, 2020 1 commit
  8. 30 Oct, 2020 1 commit
  9. 22 Oct, 2020 1 commit
  10. 07 Sep, 2020 1 commit
  11. 17 Aug, 2020 1 commit
  12. 25 May, 2020 1 commit
  13. 20 May, 2020 1 commit
  14. 02 May, 2020 1 commit
  15. 15 Apr, 2020 2 commits
  16. 30 Mar, 2020 1 commit
  17. 06 Mar, 2020 1 commit
  18. 27 Feb, 2020 1 commit
  19. 16 Feb, 2020 1 commit
    • Benni Mack's avatar
      [FEATURE] Implement SameSite option for TYPO3 cookies · 2f415eae
      Benni Mack authored and Georg Ringer's avatar Georg Ringer committed
      This change introduces a new security option for setting the SameSite
      option to all cookies sent by TYPO3 Core.
      
      Namely:
      - Frontend User Sessions ("lax" by default)
      - Backend User Sessions ("strict" by default)
      - Install Tool Sessions ("strict", none-configurable)
      - Last Login Provider in Backend ("strict", non-configurable)
      - ext:rsaauth via native session handling (“strict”, non-configurable)
      - workspace preview "ADMCMD_prev" using backend user setting
        ("strict" by default)
      
      This means that these can only be accessed by scripts and requests
      by the same site, and not by any third-party scripts.
      
      Since we're talking about actual cookies for a user, and not
      ads-related or third-party login-dependant cookies, the default
      options fit just perfectly.
      
      All modern browsers except Internet Explorer respect this option
      to be set. Please note that Firefox and Chrome will have "SameSite=lax"
      set in Q1/2020 by default if NO SameSite option is set at all. This change
      allows to configure this.
      
      Backend and Frontend User Cookies can be configured to "strict", "lax"
      or "none" (= same as before), whereas "none" only works for secure
      connections (= HTTPS).
      
      If "strict" is in place, security via CSRF is not needed anymore, and can
      be dropped in the future.
      
      Resolves: #90351
      Releases: master, 9.5, 8.7
      Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f
      Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214
      
      
      Tested-by: default avatarTYPO3com <noreply@typo3.com>
      Tested-by: Susanne Moog's avatarSusanne Moog <look@susi.dev>
      Tested-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
      Reviewed-by: Susanne Moog's avatarSusanne Moog <look@susi.dev>
      Reviewed-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
      2f415eae
  20. 02 Feb, 2020 1 commit
  21. 01 Feb, 2020 1 commit
  22. 17 Jan, 2020 1 commit
  23. 13 Dec, 2019 1 commit
  24. 05 Dec, 2019 1 commit
  25. 29 Nov, 2019 1 commit
  26. 27 Nov, 2019 1 commit
  27. 18 Nov, 2019 1 commit
  28. 30 Oct, 2019 1 commit
  29. 25 Oct, 2019 1 commit
  30. 23 Oct, 2019 1 commit
  31. 11 Oct, 2019 1 commit
  32. 23 Sep, 2019 1 commit
  33. 28 Aug, 2019 1 commit
  34. 05 Aug, 2019 1 commit
  35. 25 Jun, 2019 1 commit
  36. 17 Jun, 2019 1 commit