Set the cookie SameSite directive to Strict
Opened this issue · 0 comments
sandbergja commented
Success criteria
- Lib Job's Set-Cookie response header includes "SameSite=Strict"
Rationale
This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of pulibrary/dacs_handbook#154
Example PR
Tradeoff
If a user logs into lib jobs, navigates to a non-Princeton Web site (e.g. some documentation on Github), and then clicks a link from that Web site back to lib jobs, they will need to log in to lib jobs again.
Further reading
I found this from Mozilla, this from Portswigger, and this blog post from Andrew Lock to be helpful in understanding this topic.