From ded13125c2877c69ada65bd7d08fd6580eb4de7f Mon Sep 17 00:00:00 2001
From: Max Carrara <m.carrara@proxmox.com>
Date: Wed, 15 Mar 2023 17:26:29 +0100
Subject: [PATCH] formatter/bootstrap: set SameSite attr of auth cookie to
 'strict'

This prohibits the cookie from being sent along in cross-site
sub-requests or when the user navigates to a different site.

Signed-off-by: Max Carrara <m.carrara@proxmox.com>
---
 src/PVE/APIServer/Formatter.pm           | 2 +-
 src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/APIServer/Formatter.pm b/src/PVE/APIServer/Formatter.pm
index 20455a0..142127a 100644
--- a/src/PVE/APIServer/Formatter.pm
+++ b/src/PVE/APIServer/Formatter.pm
@@ -92,7 +92,7 @@ sub create_auth_cookie {
 
     my $encticket = uri_escape($ticket);
 
-    return "${cookie_name}=$encticket; path=/; secure;";
+    return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
 }
 
 sub create_auth_header {
diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm
index 001ad2b..9fb7785 100644
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@@ -88,7 +88,7 @@ sub body {
     $jssetup .= "PVE.delete_auth_cookie = function() {\n";
 
     if ($self->{cookie_name}) {
-	$jssetup .= "  document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure;\";\n";
+	$jssetup .= "  document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n";
     };
     $jssetup .= "};\n";