envoyproxy/gateway

feat: Add "partition" flag to cookies in securityPolicy's oidc argument

Open

#7 530 ouverte le 16 nov. 2025

Voir sur GitHub
 (7 commentaires) (0 réactions) (0 assignés)Go (802 forks)auto 404
help wanted

Métriques du dépôt

Stars
 (2 871 stars)
Métriques de merge PR
 (Métriques PR en attente)

Description

Description: Console warnings on newer versions of firefox are appearing, saying "Cookie will soon be rejected because it is foreign and does not have the 'Partitioned' attribute."

These warnings appear when cookies are set by Envoy-gateway's securitypolicy using oidc with a cookieDomain that does not match the host. For example:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: oidc
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: my-gateway
  oidc:
    provider:
      issuer: "https://{{ .Values.providerDomain }}"
    clientID: "{{ .Values.clientID }}"
    clientSecret:
      name: "{{ .Values.clientSecretName }}"
    cookieDomain: "example.com"
    redirectURL: "https://app.example.com/callback"
    logoutPath: "/oidc/logout" 

In this example, oidc cookies containing access tokens etc will be set to the domain 'example.com', but authenticated requests to app.example.com and api.example.com (that successfully pass through the gateway) will both complain that the cookies are foreign.

Can we get some way to specify "Partitioned=true" set on these cookies? Perhaps somewhere in https://gateway.envoyproxy.io/v1.5/api/extension_types/#oidccookieconfig would be good.

Relevant Links: MDN's info on partitioning A medium blog about third party cookies pertinent github issue in another project

Guide contributeur