Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
None
-
None
-
Security Level: public (Regular issues)
-
None
Description
Currently the dsrwid cookie set by the lazy window handler is set to secure=false and sameSite=None.
This combination will not be allowed by Firefox in the future. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite.
Instead sameSite should be set to "lax", which is default in modern browsers.