envoyproxy/gateway

feat: Add "partition" flag to cookies in securityPolicy's oidc argument

Open

#7,530 opened on Nov 16, 2025

View on GitHub
 (7 comments) (0 reactions) (0 assignees)Go (802 forks)auto 404
help wanted

Repository metrics

Stars
 (2,871 stars)
PR merge metrics
 (PR metrics pending)

Description

Description: Console warnings on newer versions of firefox are appearing, saying "Cookie will soon be rejected because it is foreign and does not have the 'Partitioned' attribute."

These warnings appear when cookies are set by Envoy-gateway's securitypolicy using oidc with a cookieDomain that does not match the host. For example:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: oidc
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: my-gateway
  oidc:
    provider:
      issuer: "https://{{ .Values.providerDomain }}"
    clientID: "{{ .Values.clientID }}"
    clientSecret:
      name: "{{ .Values.clientSecretName }}"
    cookieDomain: "example.com"
    redirectURL: "https://app.example.com/callback"
    logoutPath: "/oidc/logout" 

In this example, oidc cookies containing access tokens etc will be set to the domain 'example.com', but authenticated requests to app.example.com and api.example.com (that successfully pass through the gateway) will both complain that the cookies are foreign.

Can we get some way to specify "Partitioned=true" set on these cookies? Perhaps somewhere in https://gateway.envoyproxy.io/v1.5/api/extension_types/#oidccookieconfig would be good.

Relevant Links: MDN's info on partitioning A medium blog about third party cookies pertinent github issue in another project

Contributor guide