From aec7e8d23c5456b97e15f61b969c7ca895174909 Mon Sep 17 00:00:00 2001 From: Max Carrara Date: Wed, 15 Mar 2023 17:26:27 +0100 Subject: [PATCH] toolkit/utils: set SameSite attr of auth cookie to 'strict' Overrides 'Ext.util.Cookies', optionally allowing the SameSite attribute of cookies to be defined. Using this override, the SameSite attribute of the auth cookie is now set to 'strict', prohibiting the cookie from being sent along in cross-site sub-requests or when the user navigates to a different site. Signed-off-by: Max Carrara --- src/Toolkit.js | 33 +++++++++++++++++++++++++++++++++ src/Utils.js | 4 ++-- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/src/Toolkit.js b/src/Toolkit.js index 4314fb4..1cf8bc7 100644 --- a/src/Toolkit.js +++ b/src/Toolkit.js @@ -702,6 +702,39 @@ Ext.define('Proxmox.dd.DragDropManager', { }, }); +// make it possible to set the SameSite attribute on cookies +Ext.define('Proxmox.Cookies', { + override: 'Ext.util.Cookies', + + set: function(name, value, expires, path, domain, secure, samesite) { + let attrs = []; + + if (expires) { + attrs.push("expires=" + expires.toUTCString()); + } + + if (path === undefined) { // mimic original function's behaviour + attrs.push("path=/"); + } else if (path) { + attrs.push("path=" + path); + } + + if (domain) { + attrs.push("domain=" + domain); + } + + if (secure === true) { + attrs.push("secure"); + } + + if (samesite && ["lax", "none", "strict"].includes(samesite.toLowerCase())) { + attrs.push("samesite=" + samesite); + } + + document.cookie = name + "=" + escape(value) + "; " + attrs.join("; "); + }, +}); + // force alert boxes to be rendered with an Error Icon // since Ext.Msg is an object and not a prototype, we need to override it // after the framework has been initiated diff --git a/src/Utils.js b/src/Utils.js index 6daba97..4581215 100644 --- a/src/Utils.js +++ b/src/Utils.js @@ -308,7 +308,7 @@ utilities: { // that way the cookie gets deleted after the browser window is closed if (data.ticket) { Proxmox.CSRFPreventionToken = data.CSRFPreventionToken; - Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true); + Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true, "strict"); } if (data.token) { @@ -334,7 +334,7 @@ utilities: { return; } // ExtJS clear is basically the same, but browser may complain if any cookie isn't "secure" - Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true); + Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true, "strict"); window.localStorage.removeItem("ProxmoxUser"); },