R
Railway

✋|help

samesite cookies; public suffix

KKasper11/27/2022
Hi dev team! Quick question. I couldnt find railway.app (and up.railway.app) on the public suffix list. Maybe I'm missing something (not a security expert), but does this mean that a custom domain is necessary to enforce samesite cookies? Best, Kasper
PPercy11/27/2022
Project ID: N/A
KKasper11/29/2022
N/A Luckily the web is a little more secure than I feared, as cookies by default seem to be set for the request domain. I am still curious why railway is not (I think) on the public suffix list. Is this intentional for some feature?
FFinn11/29/2022
Not sure what the public suffix list is, but usually a load balancer goes in between your user and infra so all traffic goes to the same domain. So maybe you need to setup a reverse proxy using somthing like nginx
KKasper11/30/2022
The public suffix list is how browsers know at which level of a domain new domains can be registered. Its how it knows that me.com and you.com are not the same domain. If services allow people to register new domains withing their domain (like me.up.railway.app and you.up.railway.app), they can register themselves on the public suffix list so that the browser sees these as different domains. This is among other things relevant for cookies. It's not as dangerous as I feared because cookies are by default set on the most specific domain. But I think it might be possible for me to set cookies at *.up.railway.app that every (non custom) domain would receive. Not super dangerous, but could be used maliciously. Another benefit of the public suffix list is that it can be used by browsers to improve the user experience, by knowing which urls to treat as different domains. Anyway, my problem was already 'solved', but it might be usefull for railway to register their suffix. I rhink most hosting platforms (heroku, netlify, etc) are on there as well.
Aangelo11/30/2022
cc @gschier and @char8 so they get visibility into possible domain/networking improvements Cheers for raising this @Kasper
KKasper12/1/2022
You're welcome!

Looking for more? Join the community!

Want results from more Discord servers?
Add your server
Recommended Posts
Deployment has crashed after upgradeCRASHED after running my nodejs directus app, everything running locally. Please help https://railwrailway run returns 400Any command, freshly logged in and linked project. Anything I should check? Statuspage is green.rust-overlay unable to download archivemore info in chatNodeJS server does not use connection keep-alive anymoreI moved my NodeJS http server from Heroku to NodeJS. It's just a school project, so it uses regular Deployment with build doesn't workHi I am trying to deploy my react app with npm run build command but it gives an error while buildinPath of a Nixpacks (google-chrome, chromedriver) [Python]Hello, with the latest update I could install `google-chrome` and `chromedriver` using Nixpacks by afailing to buildmy builds are failingI'm having issues with my deploymentI am trying to redeploy a project. Here is the response I am getting. ```bash #3 [internal] load meScheduling Jobs to run far in the futureHey there, I have a Typescript project running on Railway. I am looking to dynamically schedule a Dockerfile working on local machine but not RailwayHere is my dockerfile ```dockerfile FROM rust:latest ARG DATABASE_URL WORKDIR /usr/src/pail COPY Prisma and nextjs app with pg urlFrom your example, it deploys both: a postgres container and a nodejs container, but to be able to project idhow do you find the project idSetting up a local environmentFor a variety of reasons I typically like to develop completely locally. I'm using the Next.js / PriQuestions about automatic deployment with a new PR.Hi, I'm waiting for my PR to be deployed automatically on Railway. The PRs were deployed on the firsDocker DATABASE_URLI have a PostgreSQL database and an application built user docker. How would I use the connection urExpress server to subdomainHi I have a backend code that uses express.js and I would like to deploy this app to my subdomain to