Skip to content

#5011 Fix to set Secure attribute on cookie when SameSite=none#5064

Merged
jsnellbaker merged 2 commits intoprebid:masterfrom
InteractiveAdvertisingBureau:issue-5011-securecookie
Apr 7, 2020
Merged

#5011 Fix to set Secure attribute on cookie when SameSite=none#5064
jsnellbaker merged 2 commits intoprebid:masterfrom
InteractiveAdvertisingBureau:issue-5011-securecookie

Conversation

@goosemanjack
Copy link
Contributor

@goosemanjack goosemanjack commented Apr 1, 2020

Type of change

  • [X ] Bugfix

Description of change

This change modifies the storageManager to detect if SameSite=None is used in the set cookie options. When the value "none" is specified for SameSite the browser also requires that the cookie be marked "Secure". This change automatically applies the "Secure" attribute when samesite=none is detected.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Tested against DigiTrust ID that sets cookie.
(/integrationExamples/gpt/digitrust_Simple.html) sample page.
Note: this must be run over HTTPS connection to operate correctly.

  • contact email of the adapter’s maintainer
  • official adapter submission

Other Information

Must be run over HTTPS connection to operate correctly. Testing this over HTTP is an invalid scenario.

@goosemanjack goosemanjack mentioned this pull request Apr 1, 2020
Closed
@bretg bretg requested a review from jaiminpanchal27 April 2, 2020 13:25
jaiminpanchal27
jaiminpanchal27 approved these changes Apr 2, 2020
View reviewed changes
Copy link
Collaborator

@jaiminpanchal27 jaiminpanchal27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minor change requested

src/storageManager.js Outdated
const expiresPortion = (expires && expires !== '') ? ` ;expires=${expires}` : '';
document.cookie = `${key}=${encodeURIComponent(value)}${expiresPortion}; path=/${domainPortion}${sameSite ? `; SameSite=${sameSite}` : ''}`;
var isNone = (sameSite != null && sameSite.toLowerCase() == 'none')
var secure = (isNone) ? '; Secure' : '';
Copy link
Collaborator

@jaiminpanchal27 jaiminpanchal27 Apr 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use const here and for isNone as well.

Copy link
Contributor Author

@goosemanjack goosemanjack Apr 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made requested change to use const. Thanks.

@bretg bretg requested a review from robertrmartinez April 6, 2020 01:20
@bretg bretg added the needs 2nd review Core module updates require two approvals from the core team label Apr 6, 2020
mkendall07
mkendall07 approved these changes Apr 7, 2020
View reviewed changes
Copy link
Contributor

@mkendall07 mkendall07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although probably should have test coverage

@jsnellbaker jsnellbaker merged commit 8275fc1 into prebid:master Apr 7, 2020
rjvelicaria pushed a commit to openx/Prebid.js that referenced this pull request Apr 9, 2020
@goosemanjack @rjvelicaria
prebid#5011 Fix to set Secure attribute on cookie when SameSite=none (p…
140c002 
…rebid#5064)

* prebid#5011 Fix to set Secure attribute on cookie when SameSite=none

* Minor change to use const instead of var per review request.
redaguermas added a commit to redaguermas/Prebid.js that referenced this pull request Apr 16, 2020
@redaguermas
Merge branch 'master' of https://github.com/prebid/Prebid.js
51525d7 
* 'master' of https://github.com/prebid/Prebid.js: (102 commits)
  Marsmedia - Add vastXml and fix id response (prebid#5067)
  PubMatic adapter to support image sync (prebid#5104)
  minor consentManagement fix (prebid#5050)
  fix circle ci failing tests (prebid#5113)
  Add Relaido Adapter (prebid#5101)
  Add new bid adapter for ConnectAd (prebid#4806)
  change payload (prebid#5105)
  Utils updates (prebid#5092)
  Read OpenRTB app objects if set in config + bug fix for when ad units are reloaded (prebid#5086)
  Criteo : added first party data mapping to bidder request (prebid#4954)
  updateAdGenerationManual (prebid#5032)
  New bid adapter: Wipes (prebid#5051)
  Prebid manager analytics utm tags (prebid#4998)
  CRITEO RTUS Integration with Yieldmo Prebid (prebid#5075)
  isSafariBrowser update  (prebid#5077)
  Support min &max duration for onevideo (prebid#5079)
  increment pre version
  Prebid 3.15.0 release
  prebid#5011 Fix to set Secure attribute on cookie when SameSite=none (prebid#5064)
  Prebid adapter for windtalker (prebid#5040)
  ...
iggyfisk pushed a commit to happypancake/Prebid.js that referenced this pull request Jun 22, 2020
@goosemanjack
prebid#5011 Fix to set Secure attribute on cookie when SameSite=none (p…
a4e14ba 
…rebid#5064)

* prebid#5011 Fix to set Secure attribute on cookie when SameSite=none

* Minor change to use const instead of var per review request.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaiminpanchal27 jaiminpanchal27 jaiminpanchal27 approved these changes

@robertrmartinez robertrmartinez Awaiting requested review from robertrmartinez

@idettman idettman Awaiting requested review from idettman

@jsnellbaker jsnellbaker Awaiting requested review from jsnellbaker

+1 more reviewer

@mkendall07 mkendall07 mkendall07 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jaiminpanchal27 jaiminpanchal27

Labels

LGTM needs 2nd review Core module updates require two approvals from the core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@goosemanjack @mkendall07 @jaiminpanchal27 @bretg @jsnellbaker

Comments