0029611: Cookies "SameSite" attribute triggers warnings in Firefox console - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0029611	mantisbt	bugtracker	public	2022-02-17 03:52	2023-10-31 16:32

Reporter	dregad	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	2.26.0	Fixed in Version	2.26.0

Summary	0029611: Cookies "SameSite" attribute triggers warnings in Firefox console
Description	Examples of warnings: Some cookies are misusing the recommended “SameSite“ attribute Multiple occurrences of the following message, on several pages (view.php, plugin.php, javascript_config, etc): Cookie “MANTIS_collapse_settings” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite common.js:700:76 This message may have another root cause. Cookie “MANTIS_collapse_settings” has been rejected because it is already expired. view.php
Steps To Reproduce	Login Go to View Issues page Collapse/Expand one of the sections (e.g. _Relationships) Reload the page Warnings are shown in the browser's console.
Tags	No tags attached.

dregad 2022-02-17 16:07 developer ~0066252	It seems that the warning Cookie “MANTIS_collapse_settings” has been rejected because it is already expired. is caused by a bug in Firefox. https://stackoverflow.com/questions/65038173/cannot-remove-a-cookie-firefox-rejecting-cookies-from-the-past https://bugzilla.mozilla.org/show_bug.cgi?id=1676651

dregad 2022-02-17 16:45 developer ~0066254	PR https://github.com/mantisbt/mantisbt/pull/1796

MantisBT: master 9090c6c3 2022-02-17 04:40 dregad Details Diff	New config 'cookie_samesite' Specifies the SameSite attribute for MantisBT cookies. Issue 0029611		Affected Issues 0029611
	mod - config_defaults_inc.php		Diff File
	mod - docbook/Admin_Guide/en-US/config/cookies.xml		Diff File
MantisBT: master ea80bcfb 2022-02-17 04:45 dregad Details Diff	Specify the SameSite attribute when setting cookies This fixes the warnings caused by the SameSite attribute defaulting to None that were displayed in the browser's console until now. Changes in gpc_api.php: - gpc_set_cookie() has a new $p_samesite parameter, defaulting to null, meaning the value of $g_cookie_samesite config will be used. - gpc_clear_cookie() also gets $p_samesite parameter, and sets the cookie's value to 1 instead of '', to avoid console warnings "Cookie XXX has been rejected because it is already expired". Changes in common.js / javascript_config.php (fixing the MANTIS_collapse_settings cookie): - Expose configs cookie_samesite, cookie_path and cookie_domain - Set the SameSite attribute, domain and path when setting the cookie Changes in session_api.php: - fixing the SameSite warnings for the PHP session cookie (PHPSESSID). Note: in PHP < 7.3.0, the setcookie() function does not allow specifying the SameSite attribute. To work around this limitation, the this commit implements a hack relying on PHP bug 69948 [1]. Fixes 0029611 [1]: https://bugs.php.net/bug.php?id=69948		Affected Issues 0029611
	mod - core/gpc_api.php		Diff File
	mod - core/session_api.php		Diff File
	mod - javascript_config.php		Diff File
	mod - js/common.js		Diff File