envoyproxy/gateway

feat: Add "partition" flag to cookies in securityPolicy's oidc argument

Open

#7,530 建立於 2025年11月16日

在 GitHub 查看
 (7 留言) (0 反應) (0 負責人)Go (802 fork)auto 404
help wanted

倉庫指標

Star
 (2,871 star)
PR 合併指標
 (PR 指標待抓取)

描述

Description: Console warnings on newer versions of firefox are appearing, saying "Cookie will soon be rejected because it is foreign and does not have the 'Partitioned' attribute."

These warnings appear when cookies are set by Envoy-gateway's securitypolicy using oidc with a cookieDomain that does not match the host. For example:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: oidc
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: my-gateway
  oidc:
    provider:
      issuer: "https://{{ .Values.providerDomain }}"
    clientID: "{{ .Values.clientID }}"
    clientSecret:
      name: "{{ .Values.clientSecretName }}"
    cookieDomain: "example.com"
    redirectURL: "https://app.example.com/callback"
    logoutPath: "/oidc/logout" 

In this example, oidc cookies containing access tokens etc will be set to the domain 'example.com', but authenticated requests to app.example.com and api.example.com (that successfully pass through the gateway) will both complain that the cookies are foreign.

Can we get some way to specify "Partitioned=true" set on these cookies? Perhaps somewhere in https://gateway.envoyproxy.io/v1.5/api/extension_types/#oidccookieconfig would be good.

Relevant Links: MDN's info on partitioning A medium blog about third party cookies pertinent github issue in another project

貢獻者指南