From c03f5d73191878ac63cc95e4bd89806b6f4b3b8c Mon Sep 17 00:00:00 2001 From: Dominik Csapak Date: Mon, 14 Oct 2024 14:13:40 +0200 Subject: [PATCH] fix external linking when cookie was acquired via HTML formatter currently we set the SameSite attribute to `Strict` which prevents linking from external sites with the cookies set. (For a detailed explanation of this see [0]) so with the same rationale as in [0], set the cookie SameSite attribute to 'Lax', which is very similar behavior as 'Strict' but allows linking from external resources[1]. 0: https://lore.proxmox.com/pve-devel/20241007150251.3295598-1-d.csapak@proxmox.com/ 1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute Signed-off-by: Dominik Csapak --- src/PVE/APIServer/Formatter.pm | 2 +- src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PVE/APIServer/Formatter.pm b/src/PVE/APIServer/Formatter.pm index 142127a..a8550a6 100644 --- a/src/PVE/APIServer/Formatter.pm +++ b/src/PVE/APIServer/Formatter.pm @@ -92,7 +92,7 @@ sub create_auth_cookie { my $encticket = uri_escape($ticket); - return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;"; + return "${cookie_name}=$encticket; path=/; secure; SameSite=Lax;"; } sub create_auth_header { diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm index 2558703..6be0049 100644 --- a/src/PVE/APIServer/Formatter/Bootstrap.pm +++ b/src/PVE/APIServer/Formatter/Bootstrap.pm @@ -89,7 +89,7 @@ sub body { $jssetup .= "PVE.delete_auth_cookie = function() {\n"; if ($self->{cookie_name}) { - $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n"; + $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Lax;\";\n"; }; $jssetup .= "};\n";