mirror of
https://github.com/ChristianLight/tutor.git
synced 2024-09-30 05:09:02 +00:00
Fix Samesite=None Secure=False cookie errors in Chrome
Recent releases of Chrome refuse to set csrf and session cookies for which secure=False samesite=None. The "secure" attribute is not set by the SameSite middleware in v0.5.1. It was introduced in v0.6.0. Instead, the "secure" attribute is set on the sessions cookie by the openedx.core.djangoapps.safe_sessions.middleware.SafeSessionMiddleware middleware. For the csrf cookie, the "secure" attribute is set by Django. We could certainly get rid of the SafeSessionMiddleware by upgrading the django-cookie-samesite dependency to v0.6.0. Instead, we need to define environment-specific settings manually. See: https://github.com/edx/edx-platform/pull/23671 https://github.com/edx/edx-platform/pull/24593 https://discuss.overhang.io/t/users-cannot-login-csrf-cookie-not-set/815 https://discuss.openedx.org/t/lti-xblock-and-samesite/759/3 https://blog.heroku.com/chrome-changes-samesite-cookie https://docs.djangoproject.com/en/2.2/ref/settings/#csrf-cookie-secure https://github.com/jotes/django-cookies-samesite/issues/23
This commit is contained in:
parent
1d5bc05328
commit
9a6439b08c
@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥".
|
|||||||
|
|
||||||
## Unreleased
|
## Unreleased
|
||||||
|
|
||||||
|
- [Bugfix] Fix Samesite=None Secure=False cookie error for users accessing the LMS with the latest release of Google Chrome
|
||||||
- [Security] Apply javascript security patch ([pull request](https://github.com/edx/edx-platform/pull/24762))
|
- [Security] Apply javascript security patch ([pull request](https://github.com/edx/edx-platform/pull/24762))
|
||||||
- [Bugfix] Fix "FileError" on Scorm package upload in Scorm XBlock
|
- [Bugfix] Fix "FileError" on Scorm package upload in Scorm XBlock
|
||||||
- 💥[Improvement] Serve openedx static assets with [whitenoise](http://whitenoise.evans.io/en/stable/) instead of nginx. This removes the `k8s-deployments-nginx-init-containers` patch. Plugins are encouraged to implement static asset serving with Whitenoise as well.
|
- 💥[Improvement] Serve openedx static assets with [whitenoise](http://whitenoise.evans.io/en/stable/) instead of nginx. This removes the `k8s-deployments-nginx-init-containers` patch. Plugins are encouraged to implement static asset serving with Whitenoise as well.
|
||||||
|
@ -12,6 +12,19 @@ ALLOWED_HOSTS = [
|
|||||||
|
|
||||||
MIDDLEWARE.insert(0, "whitenoise.middleware.WhiteNoiseMiddleware")
|
MIDDLEWARE.insert(0, "whitenoise.middleware.WhiteNoiseMiddleware")
|
||||||
|
|
||||||
|
{% if ACTIVATE_HTTPS %}
|
||||||
|
# Properly set the "secure" attribute on session/csrf cookies. This is required in
|
||||||
|
# Chrome to support samesite=none cookies.
|
||||||
|
SESSION_COOKIE_SECURE = True
|
||||||
|
CSRF_COOKIE_SECURE = True
|
||||||
|
DCS_SESSION_COOKIE_SAMESITE = "None"
|
||||||
|
{% else %}
|
||||||
|
# When we cannot provide secure session/csrf cookies, we must disable samesite=none
|
||||||
|
SESSION_COOKIE_SECURE = False
|
||||||
|
CSRF_COOKIE_SECURE = False
|
||||||
|
DCS_SESSION_COOKIE_SAMESITE = "Lax"
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# Required to display all courses on start page
|
# Required to display all courses on start page
|
||||||
SEARCH_SKIP_ENROLLMENT_START_DATE_FILTERING = True
|
SEARCH_SKIP_ENROLLMENT_START_DATE_FILTERING = True
|
||||||
|
|
||||||
|
@ -46,11 +46,14 @@ RUN curl https://github.com/overhangio/edx-platform/commit/089b26eed0302ed1f9a5b
|
|||||||
# https://github.com/edx/edx-platform/pull/24237
|
# https://github.com/edx/edx-platform/pull/24237
|
||||||
# https://github.com/overhangio/edx-platform/tree/overhangio/fix-no-csmh
|
# https://github.com/overhangio/edx-platform/tree/overhangio/fix-no-csmh
|
||||||
RUN curl https://github.com/overhangio/edx-platform/commit/6dbf2eddf7a4563c04c3b51edf5e131106d69e19.patch | git apply -
|
RUN curl https://github.com/overhangio/edx-platform/commit/6dbf2eddf7a4563c04c3b51edf5e131106d69e19.patch | git apply -
|
||||||
|
# Fix Google Chrome error with samesite=none secure=false in development
|
||||||
|
# https://github.com/edx/edx-platform/pull/24592
|
||||||
|
RUN curl https://github.com/edx/edx-platform/commit/b295389e96d7690e657a70afdffc2d931463b2b4.patch | git apply -
|
||||||
# xsslint security patch
|
# xsslint security patch
|
||||||
# https://github.com/edx/edx-platform/pull/24568
|
# https://github.com/edx/edx-platform/pull/24568
|
||||||
RUN curl https://github.com/edx/edx-platform/commit/0e45ecb743a1f329be825367e72695af4113f882.patch | git apply -
|
RUN curl https://github.com/edx/edx-platform/commit/0e45ecb743a1f329be825367e72695af4113f882.patch | git apply -
|
||||||
# Sustaining security fixes 2
|
# Sustaining security fixes 2
|
||||||
# https://github.com/edx/edx-platform/pull/24762/commits
|
# https://github.com/edx/edx-platform/pull/24762
|
||||||
RUN curl https://github.com/edx/edx-platform/commit/d9e0ca5e70d66e528262f80413f125d6bfac9e4e.patch | git apply -
|
RUN curl https://github.com/edx/edx-platform/commit/d9e0ca5e70d66e528262f80413f125d6bfac9e4e.patch | git apply -
|
||||||
|
|
||||||
###### Download extra locales to /openedx/locale/contrib/locale
|
###### Download extra locales to /openedx/locale/contrib/locale
|
||||||
|
Loading…
Reference in New Issue
Block a user