Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to re-issue certain cookies with samesite=none #14

Open
nealey opened this issue Oct 22, 2020 · 3 comments
Open

Option to re-issue certain cookies with samesite=none #14

nealey opened this issue Oct 22, 2020 · 3 comments
Labels
enhancement

Comments

@nealey
Copy link

nealey commented Oct 22, 2020

Chrome 85 broke our ability to use the nassh-relay. Here's how:

We must first authenticate to an "inbound HTTPS proxy", which sets a domain-wide cookie

Because the Chrome SSH proxy is an extension, WebSocket requests originating from the extension are prevented by the new (as of Chrome 85) same-site cookie policy. The "inbound HTTPS proxy" then posts a 302 redirect to the authentication page: 302 causes the WebSocket request to fail (the user is not presented the login page).

I was able to work around this by posting a static HTML page that re-issues the cookie with samesite=none, and this fixes the problem. Users must visit a magic web page after authenticating but before trying to SSH.

It might be possible to have nassh-relay also re-issue the cookie, which would be a nicer user experience. I would be happy to provide the name of the cookie in an argument to the program. This would probably have to show up in JavaScript, in case the "inbound HTTPS proxy" strips the cookie from the request before passing it along.

This would probably require some way to provide nassh-relay with the cookie to be re-issued, and may require the /cookie handler to reply with JavaScript which reissues the cookie performs a redirect, if it is currently sending an HTTP redirect.

If this sounds like a reasonable approach, I will attempt to dust off my Java knowledge enough to submit a patch.
@zyclonite
Copy link
Owner

sounds interesting

would you plan this as a replacement of the current implementation or as a toggle-able feature?

@nealey
Copy link
Author

nealey commented Oct 26, 2020

For my purposes, what is going to work best is to re-issue every cookie the browser sends to /cookie for path=/connect.

I need to test it, but I think this will work, if added to line 77 of CookieHandler.java:

                // Re-issue all cookies 
                request.cookieMap().forEach((k,cookie)->{
                    cookie.setSameSite(CookieSameSite.NONE);
                    cookie.setPath("/connect");
                    response.addCookie(cookie);
                });

If this solves my problem, I'll try to add a commandline option to enable it. It's going to be another week, at least, but I'll get there :)

@zyclonite
Copy link
Owner

i would prefer to add this toggle to the config.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nealey @zyclonite