Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-10791

Firefox does not send CSRF cookie if initial request comes from a cross-origin

    Details

      Description

      Steps to reproduce

      1. Use Firefox
      2. Add a link to the Webapps on a webpage located at a cross-origin (e. g. by using the developer console to manipulate the DOM of this webpage)
      3. Click the link to the Webapps
      4. Login to the Webapps
      5. Perform an action that results in a POST request (e. g. by clicking on the running instances count on the dashboard)

      Observed behavior

      • The session is invalidated since the CSRF token request header is absent
      • It is not possible to perform modifying requests until Firefox is restarted

      Expected behavior
      The session is not invalidated and the CSRF token request header is present.

      Solution
      Set the default value for the SameSite property from strict to lax

      Hints

      • In case of the lax option the cookie is sent on GET from the cross-origin
      • The problem reoccurs if a modifying request is sent from a cross-origin
      • Only a restart of the browser makes the Webapps usable again

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            akif.hazarvi Akif Hazarvi
            Reporter:
            tassilo.weidner Tassilo Weidner
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:

              Development