Fix Samesite=None Secure=False cookie errors in Chrome

Recent releases of Chrome refuse to set csrf and session cookies for
which secure=False samesite=None. The "secure" attribute is not set by
the SameSite middleware in v0.5.1. It was introduced in v0.6.0.

Instead, the "secure" attribute is set on the sessions cookie by the
openedx.core.djangoapps.safe_sessions.middleware.SafeSessionMiddleware
middleware. For the csrf cookie, the "secure" attribute is set by
Django.

We could certainly get rid of the SafeSessionMiddleware by upgrading the
django-cookie-samesite dependency to v0.6.0. Instead, we need to define
environment-specific settings manually.

See:
https://github.com/edx/edx-platform/pull/23671
https://github.com/edx/edx-platform/pull/24593
https://discuss.overhang.io/t/users-cannot-login-csrf-cookie-not-set/815
https://discuss.openedx.org/t/lti-xblock-and-samesite/759/3
https://blog.heroku.com/chrome-changes-samesite-cookie
https://docs.djangoproject.com/en/2.2/ref/settings/#csrf-cookie-secure
https://github.com/jotes/django-cookies-samesite/issues/23

CHANGELOG.md

@@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥".
 
 ## Unreleased
 
+- [Bugfix] Fix Samesite=None Secure=False cookie error for users accessing the LMS with the latest release of Google Chrome
 - [Security] Apply javascript security patch ([pull request](https://github.com/edx/edx-platform/pull/24762))
 - [Bugfix] Fix "FileError" on Scorm package upload in Scorm XBlock
 - 💥[Improvement] Serve openedx static assets with [whitenoise](http://whitenoise.evans.io/en/stable/) instead of nginx. This removes the `k8s-deployments-nginx-init-containers` patch. Plugins are encouraged to implement static asset serving with Whitenoise as well.

tutor/templates/apps/openedx/settings/lms/production.py

@@ -12,6 +12,19 @@ ALLOWED_HOSTS = [
 
 MIDDLEWARE.insert(0, "whitenoise.middleware.WhiteNoiseMiddleware")
 
+{% if ACTIVATE_HTTPS %}
+# Properly set the "secure" attribute on session/csrf cookies. This is required in
+# Chrome to support samesite=none cookies.
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+DCS_SESSION_COOKIE_SAMESITE = "None"
+{% else %}
+# When we cannot provide secure session/csrf cookies, we must disable samesite=none
+SESSION_COOKIE_SECURE = False
+CSRF_COOKIE_SECURE = False
+DCS_SESSION_COOKIE_SAMESITE = "Lax"
+{% endif %}
+
 # Required to display all courses on start page
 SEARCH_SKIP_ENROLLMENT_START_DATE_FILTERING = True
 

tutor/templates/build/openedx/Dockerfile

@@ -46,11 +46,14 @@ RUN curl https://github.com/overhangio/edx-platform/commit/089b26eed0302ed1f9a5b
 # https://github.com/edx/edx-platform/pull/24237
 # https://github.com/overhangio/edx-platform/tree/overhangio/fix-no-csmh
 RUN curl https://github.com/overhangio/edx-platform/commit/6dbf2eddf7a4563c04c3b51edf5e131106d69e19.patch | git apply -
+# Fix Google Chrome error with samesite=none secure=false in development
+# https://github.com/edx/edx-platform/pull/24592
+RUN curl https://github.com/edx/edx-platform/commit/b295389e96d7690e657a70afdffc2d931463b2b4.patch | git apply -
 # xsslint security patch
 # https://github.com/edx/edx-platform/pull/24568
 RUN curl https://github.com/edx/edx-platform/commit/0e45ecb743a1f329be825367e72695af4113f882.patch | git apply -
 # Sustaining security fixes 2
-# https://github.com/edx/edx-platform/pull/24762/commits
+# https://github.com/edx/edx-platform/pull/24762
 RUN curl https://github.com/edx/edx-platform/commit/d9e0ca5e70d66e528262f80413f125d6bfac9e4e.patch | git apply -
 
 ###### Download extra locales to /openedx/locale/contrib/locale