diff --git a/src/Toolkit.js b/src/Toolkit.js index 4314fb4..1cf8bc7 100644 --- a/src/Toolkit.js +++ b/src/Toolkit.js @@ -702,6 +702,39 @@ Ext.define('Proxmox.dd.DragDropManager', { }, }); +// make it possible to set the SameSite attribute on cookies +Ext.define('Proxmox.Cookies', { + override: 'Ext.util.Cookies', + + set: function(name, value, expires, path, domain, secure, samesite) { + let attrs = []; + + if (expires) { + attrs.push("expires=" + expires.toUTCString()); + } + + if (path === undefined) { // mimic original function's behaviour + attrs.push("path=/"); + } else if (path) { + attrs.push("path=" + path); + } + + if (domain) { + attrs.push("domain=" + domain); + } + + if (secure === true) { + attrs.push("secure"); + } + + if (samesite && ["lax", "none", "strict"].includes(samesite.toLowerCase())) { + attrs.push("samesite=" + samesite); + } + + document.cookie = name + "=" + escape(value) + "; " + attrs.join("; "); + }, +}); + // force alert boxes to be rendered with an Error Icon // since Ext.Msg is an object and not a prototype, we need to override it // after the framework has been initiated diff --git a/src/Utils.js b/src/Utils.js index 6daba97..4581215 100644 --- a/src/Utils.js +++ b/src/Utils.js @@ -308,7 +308,7 @@ utilities: { // that way the cookie gets deleted after the browser window is closed if (data.ticket) { Proxmox.CSRFPreventionToken = data.CSRFPreventionToken; - Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true); + Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true, "strict"); } if (data.token) { @@ -334,7 +334,7 @@ utilities: { return; } // ExtJS clear is basically the same, but browser may complain if any cookie isn't "secure" - Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true); + Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true, "strict"); window.localStorage.removeItem("ProxmoxUser"); },