Remove cookie clear
d8139c68[1] added:
asyncResp->res.addHeader("Clear-Site-Data",
R"("cache","cookies","storage")");
This causes the browsers to clear the cache, cookie, and storage for
that site. [2]
Don't see where OWASP recommends Clear-Site-Data response header. [3]
This seems reasonable but breaks our server manager (HMC) when using
webui-vue from the HMC proxy. [4][5]
The HMC is also using the cookie and storage from the same URI. The
proxy works by going to a URI and the HMC proxing it forward/reverse
for webui-vue.
Also had other problems clearing headers, Clear-Site-Data seems too
strict, just remove it.
[1]: https://github.com/openbmc/bmcweb/commit/d8139c683a2f42c47ed913b731becc6cd681e2dd
[2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
[3]: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
[4]: https://en.wikipedia.org/wiki/IBM_Hardware_Management_Console
[5]: https://www.ibm.com/docs/en/power10?topic=asmi-accessing-by-using-hmc
Tested: Firefox and Chrome no longer logout the HMC when logging out
webui-vue.
Change-Id: I061eae9163ce5d88a3bd9f297ca5e10ff3a07984
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
diff --git a/include/cookies.hpp b/include/cookies.hpp
index 273871e..62fd3c7 100644
--- a/include/cookies.hpp
+++ b/include/cookies.hpp
@@ -27,7 +27,6 @@
"BMCWEB-SESSION="
"; Path=/; SameSite=Strict; Secure; HttpOnly; "
"expires=Thu, 01 Jan 1970 00:00:00 GMT");
- res.addHeader("Clear-Site-Data", R"("cache","cookies","storage")");
}
} // namespace bmcweb