Private Network Access Proposal / Secure and sameSite 'none' should be allowed for localhost

[pozylon]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Introduction

When accessing insecure localhost (for ex. http://localhost:3000) from a remote hosted UI (for ex. https://sandbox.service) the natural secure configuration for the local Fastify cookie is:

domain: localhost
secure: true
httpOnly: true
sameSite: none

Why httpOnly? We don't want to allow the SPA on sandbox.service to potentially read the cookie and forward it to some arbitrary server for security reasons

Why Same-site none? Obviously we are in cross-site waters

Why secure true when we are running the local server on HTTP? Because we have to to make same-site none working. Happily, for browsers, localhost is an exception and does not require us to serve use TLS:

A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#block_access_to_your_cookies

Browsers should officially allow that combination but there is two issues here in regards to Fastify Cookie:

1. Chrome stops it's support for that combination except for Private Network CORS Header https://www.chromium.org/updates/same-site/

2. Fastify does not send cookies secure cookies over HTTP, only when trustProxy is enabled to be insecure and an additional header is set:

x-forwarded-proto: https

Workaround

const app = Fastify({
  trustProxy: true,
});

// Workaround: Allow to use sandbox with localhost
app.addHook('preHandler', async function (request) {
  request.headers['x-forwarded-proto'] = 'https';
});

app.addHook('onSend', async function (_, reply) {
  reply.headers({
    'Access-Control-Allow-Private-Network': 'true',
  });
});

Suggestion

We should look for a more straight-forward solution to allow working in dev mode for this scenario. I'm not sure what's the best way to solve this?

• A flag on Fastify config? allowPrivateNetworkAccess: true?
• Extending cors and depend on that config? Support Private Network CORS fastify-cors#277
• Lifting the need for x-forwarded-proto to be https and trustProxy be enabled when checking if a cookie can be sent to the client in general or just for localhost

Express has the same problem: expressjs/session#837

Motivation

No response

Example

No response

[mcollina]

This seems correct. I don't think we should promote insecure defaults. However documenting how to solve this common case seems useful. Would you like to send a PR?