Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Lax Cookie for Preview Mode #11495

Merged
merged 5 commits into from
Mar 30, 2020
Merged

Use Lax Cookie for Preview Mode #11495

merged 5 commits into from
Mar 30, 2020

Conversation

Timer
Copy link
Member

@Timer Timer commented Mar 30, 2020
edited
Loading

We currently use Strict SameSite cookies for Preview Mode. The reason for this pick was arbitrary, as we were erring to the least privileged option.

This pull request updates our Preview Mode cookie behavior to be Lax, which allows the following workflows:

  • Embedded previews within CMSes (using an <iframe>)
  • Redirects from Email or CMS authorization flow(s) will not require a page refresh to make "same origin"

We are comfortable with Lax as Chrome is moving to make this the default option for all cookies:
https://chromestatus.com/feature/5088147346030592

Using a Lax cookie is more secure than most browsers' current default: no same site requirement (Lax is more secure than browsers' current default: None).

Fixes #10881

@Timer Timer added this to the 9.3.4 milestone Mar 30, 2020
@ijjk
Copy link
Member

ijjk commented Mar 30, 2020

Stats from current PR

Default Server Mode (Decrease detected ✓)
General Overall decrease ✓
zeit/next.js canary Timer/next.js NEXT-154 Change
buildDuration 10.5s 10.4s -148ms
nodeModulesSize 52.8 MB 52.8 MB -24 B
Client Bundles (main, webpack, commons)
zeit/next.js canary Timer/next.js NEXT-154 Change
main-HASH.js gzip 6.24 kB 6.24 kB
webpack-HASH.js gzip 746 B 746 B
de003c3a9d30..c6c1.js gzip 10.1 kB 10.1 kB
framework.HASH.js gzip 39.1 kB 39.1 kB
Overall change 56.2 kB 56.2 kB
Client Bundles (main, webpack, commons) Modern
zeit/next.js canary Timer/next.js NEXT-154 Change
main-HASH.module.js gzip 4.78 kB 4.78 kB
webpack-HASH..dule.js gzip 746 B 746 B
de003c3a9d30..dule.js gzip 6.71 kB 6.71 kB
framework.HA..dule.js gzip 39.1 kB 39.1 kB
Overall change 51.4 kB 51.4 kB
Legacy Client Bundles (polyfills)
zeit/next.js canary Timer/next.js NEXT-154 Change
polyfills-HASH.js gzip 26.3 kB 26.3 kB
Overall change 26.3 kB 26.3 kB
Client Pages
zeit/next.js canary Timer/next.js NEXT-154 Change
_app.js gzip 1.24 kB 1.24 kB
_error.js gzip 3.15 kB 3.15 kB
hooks.js gzip 664 B 664 B
index.js gzip 222 B 222 B
link.js gzip 2.03 kB 2.03 kB
routerDirect.js gzip 279 B 279 B
withRouter.js gzip 278 B 278 B
Overall change 7.86 kB 7.86 kB
Client Pages Modern
zeit/next.js canary Timer/next.js NEXT-154 Change
_app.module.js gzip 594 B 594 B
_error.module.js gzip 2.08 kB 2.08 kB
hooks.module.js gzip 370 B 370 B
index.module.js gzip 212 B 212 B
link.module.js gzip 1.48 kB 1.48 kB
routerDirect..dule.js gzip 271 B 271 B
withRouter.m..dule.js gzip 270 B 270 B
Overall change 5.28 kB 5.28 kB
Client Build Manifests
zeit/next.js canary Timer/next.js NEXT-154 Change
_buildManifest.js gzip 61 B 61 B
_buildManife..dule.js gzip 61 B 61 B
Overall change 122 B 122 B
Rendered Page Sizes
zeit/next.js canary Timer/next.js NEXT-154 Change
index.html gzip 916 B 916 B
link.html gzip 925 B 925 B
withRouter.html gzip 914 B 914 B
Overall change 2.75 kB 2.75 kB
Serverless Mode (Increase detected ⚠️)
General Overall decrease ✓
zeit/next.js canary Timer/next.js NEXT-154 Change
buildDuration 11.1s 11.3s ⚠️ +192ms
nodeModulesSize 52.8 MB 52.8 MB -24 B
Client Bundles (main, webpack, commons)
zeit/next.js canary Timer/next.js NEXT-154 Change
main-HASH.js gzip 6.24 kB 6.24 kB
webpack-HASH.js gzip 746 B 746 B
de003c3a9d30..c6c1.js gzip 10.1 kB 10.1 kB
framework.HASH.js gzip 39.1 kB 39.1 kB
Overall change 56.2 kB 56.2 kB
Client Bundles (main, webpack, commons) Modern
zeit/next.js canary Timer/next.js NEXT-154 Change
main-HASH.module.js gzip 4.78 kB 4.78 kB
webpack-HASH..dule.js gzip 746 B 746 B
de003c3a9d30..dule.js gzip 6.71 kB 6.71 kB
framework.HA..dule.js gzip 39.1 kB 39.1 kB
Overall change 51.4 kB 51.4 kB
Legacy Client Bundles (polyfills)
zeit/next.js canary Timer/next.js NEXT-154 Change
polyfills-HASH.js gzip 26.3 kB 26.3 kB
Overall change 26.3 kB 26.3 kB
Client Pages
zeit/next.js canary Timer/next.js NEXT-154 Change
_app.js gzip 1.24 kB 1.24 kB
_error.js gzip 3.15 kB 3.15 kB
hooks.js gzip 664 B 664 B
index.js gzip 222 B 222 B
link.js gzip 2.03 kB 2.03 kB
routerDirect.js gzip 279 B 279 B
withRouter.js gzip 278 B 278 B
Overall change 7.86 kB 7.86 kB
Client Pages Modern
zeit/next.js canary Timer/next.js NEXT-154 Change
_app.module.js gzip 594 B 594 B
_error.module.js gzip 2.08 kB 2.08 kB
hooks.module.js gzip 370 B 370 B
index.module.js gzip 212 B 212 B
link.module.js gzip 1.48 kB 1.48 kB
routerDirect..dule.js gzip 271 B 271 B
withRouter.m..dule.js gzip 270 B 270 B
Overall change 5.28 kB 5.28 kB
Client Build Manifests
zeit/next.js canary Timer/next.js NEXT-154 Change
_buildManifest.js gzip 61 B 61 B
_buildManife..dule.js gzip 61 B 61 B
Overall change 122 B 122 B
Serverless bundles Overall increase ⚠️
zeit/next.js canary Timer/next.js NEXT-154 Change
_error.js gzip 294 kB 294 kB ⚠️ +121 B
404.html gzip 1.32 kB 1.32 kB
hooks.html gzip 957 B 957 B
index.js gzip 294 kB 294 kB -185 B
link.js gzip 301 kB 302 kB ⚠️ +884 B
routerDirect.js gzip 300 kB 300 kB -640 B
withRouter.js gzip 300 kB 300 kB ⚠️ +34 B
Overall change 1.49 MB 1.49 MB ⚠️ +214 B

@ijjk
Copy link
Member

ijjk commented Mar 30, 2020
edited
Loading

Failing test suites

test/integration/prerender-preview/test/index.test.js

  • Prerender Preview Mode > Development Mode > should return cookies to be expired after dev server reboot
  • Prerender Preview Mode > Emulated Serverless Mode > should return cookies to be expired on reset request
  • Prerender Preview Mode > Server Mode > should return cookies to be expired on reset request
  • Prerender Preview Mode > Serverless Mode > should return cookies to be expired on reset request
Expand output

● Prerender Preview Mode › Development Mode › should return cookies to be expired after dev server reboot

expect(received).toBe(expected) // Object.is equality

Expected: 2
Received: 1

  271 |         .map(cookie.parse)
  272 | 
> 273 |       expect(cookies.length).toBe(2)
      |                              ^
  274 |     })
  275 | 
  276 |     afterAll(async () => {

  at Object.<anonymous> (integration/prerender-preview/test/index.test.js:273:30)

● Prerender Preview Mode › Server Mode › should return cookies to be expired on reset request

expect(received).toBe(expected) // Object.is equality

Expected: 2
Received: 1

  146 |       .map(cookie.parse)
  147 | 
> 148 |     expect(cookies.length).toBe(2)
      |                            ^
  149 |     expect(cookies[0]).toMatchObject({
  150 |       Path: '/',
  151 |       SameSite: 'Lax',

  at Object.<anonymous> (integration/prerender-preview/test/index.test.js:148:28)

● Prerender Preview Mode › Serverless Mode › should return cookies to be expired on reset request

expect(received).toBe(expected) // Object.is equality

Expected: 2
Received: 1

  146 |       .map(cookie.parse)
  147 | 
> 148 |     expect(cookies.length).toBe(2)
      |                            ^
  149 |     expect(cookies[0]).toMatchObject({
  150 |       Path: '/',
  151 |       SameSite: 'Lax',

  at Object.<anonymous> (integration/prerender-preview/test/index.test.js:148:28)

● Prerender Preview Mode › Emulated Serverless Mode › should return cookies to be expired on reset request

expect(received).toBe(expected) // Object.is equality

Expected: 2
Received: 1

  146 |       .map(cookie.parse)
  147 | 
> 148 |     expect(cookies.length).toBe(2)
      |                            ^
  149 |     expect(cookies[0]).toMatchObject({
  150 |       Path: '/',
  151 |       SameSite: 'Lax',

  at Object.<anonymous> (integration/prerender-preview/test/index.test.js:148:28)

test/integration/getserversideprops-preview/test/index.test.js

  • ServerSide Props Preview Mode > Development Mode > should return cookies to be expired after dev server reboot
  • ServerSide Props Preview Mode > Emulated Serverless Mode > should return cookies to be expired on reset request
  • ServerSide Props Preview Mode > Server Mode > should return cookies to be expired on reset request
  • ServerSide Props Preview Mode > Serverless Mode > should return cookies to be expired on reset request
Expand output

● ServerSide Props Preview Mode › Development Mode › should return cookies to be expired after dev server reboot

expect(received).toBe(expected) // Object.is equality

Expected: 2
Received: 1

  271 |         .map(cookie.parse)
  272 | 
> 273 |       expect(cookies.length).toBe(2)
      |                              ^
  274 |     })
  275 | 
  276 |     afterAll(async () => {

  at Object.<anonymous> (integration/getserversideprops-preview/test/index.test.js:273:30)

● ServerSide Props Preview Mode › Server Mode › should return cookies to be expired on reset request

expect(received).toBe(expected) // Object.is equality

Expected: 2
Received: 1

  140 |       .map(cookie.parse)
  141 | 
> 142 |     expect(cookies.length).toBe(2)
      |                            ^
  143 |     expect(cookies[0]).toMatchObject({
  144 |       Path: '/',
  145 |       SameSite: 'Lax',

  at Object.<anonymous> (integration/getserversideprops-preview/test/index.test.js:142:28)

● ServerSide Props Preview Mode › Serverless Mode › should return cookies to be expired on reset request

expect(received).toBe(expected) // Object.is equality

Expected: 2
Received: 1

  140 |       .map(cookie.parse)
  141 | 
> 142 |     expect(cookies.length).toBe(2)
      |                            ^
  143 |     expect(cookies[0]).toMatchObject({
  144 |       Path: '/',
  145 |       SameSite: 'Lax',

  at Object.<anonymous> (integration/getserversideprops-preview/test/index.test.js:142:28)

● ServerSide Props Preview Mode › Emulated Serverless Mode › should return cookies to be expired on reset request

expect(received).toBe(expected) // Object.is equality

Expected: 2
Received: 1

  140 |       .map(cookie.parse)
  141 | 
> 142 |     expect(cookies.length).toBe(2)
      |                            ^
  143 |     expect(cookies[0]).toMatchObject({
  144 |       Path: '/',
  145 |       SameSite: 'Lax',

  at Object.<anonymous> (integration/getserversideprops-preview/test/index.test.js:142:28)

@ijjk
Copy link
Member

ijjk commented Mar 30, 2020

Stats from current PR

Default Server Mode (Decrease detected ✓)
General Overall decrease ✓
zeit/next.js canary Timer/next.js NEXT-154 Change
buildDuration 9.9s 10.2s ⚠️ +234ms
nodeModulesSize 52.8 MB 52.8 MB -24 B
Client Bundles (main, webpack, commons)
zeit/next.js canary Timer/next.js NEXT-154 Change
main-HASH.js gzip 6.24 kB 6.24 kB
webpack-HASH.js gzip 746 B 746 B
de003c3a9d30..c6c1.js gzip 10.1 kB 10.1 kB
framework.HASH.js gzip 39.1 kB 39.1 kB
Overall change 56.2 kB 56.2 kB
Client Bundles (main, webpack, commons) Modern
zeit/next.js canary Timer/next.js NEXT-154 Change
main-HASH.module.js gzip 4.78 kB 4.78 kB
webpack-HASH..dule.js gzip 746 B 746 B
de003c3a9d30..dule.js gzip 6.71 kB 6.71 kB
framework.HA..dule.js gzip 39.1 kB 39.1 kB
Overall change 51.4 kB 51.4 kB
Legacy Client Bundles (polyfills)
zeit/next.js canary Timer/next.js NEXT-154 Change
polyfills-HASH.js gzip 26.3 kB 26.3 kB
Overall change 26.3 kB 26.3 kB
Client Pages
zeit/next.js canary Timer/next.js NEXT-154 Change
_app.js gzip 1.24 kB 1.24 kB
_error.js gzip 3.15 kB 3.15 kB
hooks.js gzip 664 B 664 B
index.js gzip 222 B 222 B
link.js gzip 2.03 kB 2.03 kB
routerDirect.js gzip 279 B 279 B
withRouter.js gzip 278 B 278 B
Overall change 7.86 kB 7.86 kB
Client Pages Modern
zeit/next.js canary Timer/next.js NEXT-154 Change
_app.module.js gzip 594 B 594 B
_error.module.js gzip 2.08 kB 2.08 kB
hooks.module.js gzip 370 B 370 B
index.module.js gzip 212 B 212 B
link.module.js gzip 1.48 kB 1.48 kB
routerDirect..dule.js gzip 271 B 271 B
withRouter.m..dule.js gzip 270 B 270 B
Overall change 5.28 kB 5.28 kB
Client Build Manifests
zeit/next.js canary Timer/next.js NEXT-154 Change
_buildManifest.js gzip 61 B 61 B
_buildManife..dule.js gzip 61 B 61 B
Overall change 122 B 122 B
Rendered Page Sizes
zeit/next.js canary Timer/next.js NEXT-154 Change
index.html gzip 916 B 916 B
link.html gzip 925 B 925 B
withRouter.html gzip 914 B 914 B
Overall change 2.75 kB 2.75 kB
Serverless Mode (Increase detected ⚠️)
General Overall decrease ✓
zeit/next.js canary Timer/next.js NEXT-154 Change
buildDuration 10.7s 10.6s -96ms
nodeModulesSize 52.8 MB 52.8 MB -24 B
Client Bundles (main, webpack, commons)
zeit/next.js canary Timer/next.js NEXT-154 Change
main-HASH.js gzip 6.24 kB 6.24 kB
webpack-HASH.js gzip 746 B 746 B
de003c3a9d30..c6c1.js gzip 10.1 kB 10.1 kB
framework.HASH.js gzip 39.1 kB 39.1 kB
Overall change 56.2 kB 56.2 kB
Client Bundles (main, webpack, commons) Modern
zeit/next.js canary Timer/next.js NEXT-154 Change
main-HASH.module.js gzip 4.78 kB 4.78 kB
webpack-HASH..dule.js gzip 746 B 746 B
de003c3a9d30..dule.js gzip 6.71 kB 6.71 kB
framework.HA..dule.js gzip 39.1 kB 39.1 kB
Overall change 51.4 kB 51.4 kB
Legacy Client Bundles (polyfills)
zeit/next.js canary Timer/next.js NEXT-154 Change
polyfills-HASH.js gzip 26.3 kB 26.3 kB
Overall change 26.3 kB 26.3 kB
Client Pages
zeit/next.js canary Timer/next.js NEXT-154 Change
_app.js gzip 1.24 kB 1.24 kB
_error.js gzip 3.15 kB 3.15 kB
hooks.js gzip 664 B 664 B
index.js gzip 222 B 222 B
link.js gzip 2.03 kB 2.03 kB
routerDirect.js gzip 279 B 279 B
withRouter.js gzip 278 B 278 B
Overall change 7.86 kB 7.86 kB
Client Pages Modern
zeit/next.js canary Timer/next.js NEXT-154 Change
_app.module.js gzip 594 B 594 B
_error.module.js gzip 2.08 kB 2.08 kB
hooks.module.js gzip 370 B 370 B
index.module.js gzip 212 B 212 B
link.module.js gzip 1.48 kB 1.48 kB
routerDirect..dule.js gzip 271 B 271 B
withRouter.m..dule.js gzip 270 B 270 B
Overall change 5.28 kB 5.28 kB
Client Build Manifests
zeit/next.js canary Timer/next.js NEXT-154 Change
_buildManifest.js gzip 61 B 61 B
_buildManife..dule.js gzip 61 B 61 B
Overall change 122 B 122 B
Serverless bundles Overall increase ⚠️
zeit/next.js canary Timer/next.js NEXT-154 Change
_error.js gzip 293 kB 294 kB ⚠️ +714 B
404.html gzip 1.32 kB 1.32 kB
hooks.html gzip 957 B 957 B
index.js gzip 294 kB 294 kB ⚠️ +254 B
link.js gzip 301 kB 302 kB ⚠️ +617 B
routerDirect.js gzip 300 kB 300 kB -103 B
withRouter.js gzip 300 kB 300 kB ⚠️ +641 B
Overall change 1.49 MB 1.49 MB ⚠️ +2.12 kB

@Timer Timer merged commit c2c4241 into vercel:canary Mar 30, 2020
@Timer Timer deleted the NEXT-154 branch March 30, 2020 16:47
This was referenced Mar 31, 2020
Closed
Closed
Closed
@snyk-bot snyk-bot mentioned this pull request Apr 13, 2020
Merged
This was referenced Apr 24, 2020
Closed
Open
@vercel vercel locked as resolved and limited conversation to collaborators Jan 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ijjk ijjk ijjk approved these changes

@timneutkens timneutkens timneutkens approved these changes

@lfades lfades Awaiting requested review from lfades

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
9.3.4
Development

Successfully merging this pull request may close these issues.

ZEIT Now shows cached page in SSG preview mode
3 participants
@Timer @ijjk @timneutkens