Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change samesite for workspace owner cookie #19028

Closed
wants to merge 1 commit into from
Closed

change samesite for workspace owner cookie #19028

wants to merge 1 commit into from

Conversation

svenefftinge
Copy link
Member

@svenefftinge svenefftinge commented Nov 7, 2023
edited
Loading

Description

This relaxes the workspace owner cookie so it gets sent when the workspace URLs are used from within an iframe

Summary generated by Copilot

🤖 Generated by Copilot at bc88f2c

Fixed a cookie bug that prevented cross-site authentication between the workspace and dashboard domains. Changed the sameSite attribute of the cookie in user-controller.ts to "none".

Related Issue(s)

Fixes #

How to test

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@svenefftinge svenefftinge marked this pull request as ready for review November 7, 2023 16:55
@svenefftinge svenefftinge requested a review from a team as a code owner November 7, 2023 16:55
geropl
geropl reviewed Nov 7, 2023
View reviewed changes
components/server/src/user/user-controller.ts
@@ -358,12 +359,16 @@ export class UserController {
return;
}

const useSameSiteNone = await getExperimentsClientForBackend().getValueAsync("sameSiteNone", false, {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the goal of introducing a feature flag here? I'd like to understand the motivation and broader idea before we merge sth like this. 🙂
E.g., if the problem is "public port" is to public, then this is not a fix, but makes it worse. 🤷

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a feature flag so we can disable it in case we overlooked something during testing

@svenefftinge
Copy link
Member Author

Not going with this because of https://developer.chrome.com/docs/privacy-sandbox/third-party-cookie-phase-out/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geropl geropl geropl left review comments

Assignees
No one assigned
Labels
do-not-merge/hold size/XS team: team-experience
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@svenefftinge @geropl @roboquat