You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This can result in the cookie token being sent unencrypted by the browser over http if the webmaster didn't setup HSTS.
Note that Chrome and Firefox (since version 52 for both browsers) will not set a cookie when secure is used in an http scheme, according to MDN. So make sure secure is only added as a directive when https is the scheme so as to not break Misskey instances which serve the frontend over secure hidden networks like Tor and Yggdrasil (which usually don't use https).
🥰 Expected Behavior
The cookie token should be marked as "secure" in the document.cookie. For example, Mastodon does it and my browser does note that the cookie will only be sent over HTTPS:
🤬 Actual Behavior
There's no secure directive in the document.cookie, and as noted by my browser it can be sent over any type of connection instead of just HTTPS:
📝 Steps to Reproduce
No response
💻 Frontend Environment
No response
🛰 Backend Environment (for server admin)
No response
Do you want to address this bug yourself?
Yes, I will patch the bug myself and send a pull request
The text was updated successfully, but these errors were encountered:
💡 Summary
Currently the cookie being generated in
/packages/frontend/src/account.ts
when you sign in is not marked assecure
:misskey/packages/frontend/src/account.ts
Line 205 in 0e92cbf
This can result in the cookie token being sent unencrypted by the browser over http if the webmaster didn't setup HSTS.
Note that Chrome and Firefox (since version 52 for both browsers) will not set a cookie when
secure
is used in anhttp
scheme, according to MDN. So make suresecure
is only added as a directive whenhttps
is the scheme so as to not break Misskey instances which serve the frontend over secure hidden networks like Tor and Yggdrasil (which usually don't usehttps
).🥰 Expected Behavior
The cookie token should be marked as "secure" in the
document.cookie
. For example, Mastodon does it and my browser does note that the cookie will only be sent over HTTPS:🤬 Actual Behavior
There's no
secure
directive in thedocument.cookie
, and as noted by my browser it can be sent over any type of connection instead of just HTTPS:📝 Steps to Reproduce
No response
💻 Frontend Environment
No response
🛰 Backend Environment (for server admin)
No response
Do you want to address this bug yourself?
The text was updated successfully, but these errors were encountered: