-
Type:
Bug Report
-
Resolution: Unresolved
-
Priority:
L3 - Default
-
Affects Version/s: 7.9.5, 7.12.0, 7.10.9, 7.11.3
-
Component/s: webapp
-
None
Steps to reproduce
- Use Firefox
- Add a link to the Webapps on a webpage located at a cross-origin (e. g. by using the developer console to manipulate the DOM of this webpage)
- Click the link to the Webapps
- Login to the Webapps
- Perform an action that results in a POST request (e. g. by clicking on the running instances count on the dashboard)
Observed behavior
- The session is invalidated since the CSRF token request header is absent
- It is not possible to perform modifying requests until Firefox is restarted
Expected behavior
The session is not invalidated and the CSRF token request header is present.
Solution
Set the default value for the SameSite property from strict to lax
Hints
- In case of the lax option the cookie is sent on GET from the cross-origin
- The problem reoccurs if a modifying request is sent from a cross-origin
- Only a restart of the browser makes the Webapps usable again
This is the controller panel for Smart Panels app
- is related to
-
-
- Closed
-