proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-05-01 04:14:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

formatter/bootstrap: set SameSite attr of auth cookie to 'strict'

Browse Source 
This prohibits the cookie from being sent along in cross-site
sub-requests or when the user navigates to a different site.

Signed-off-by: Max Carrara <m.carrara@proxmox.com>
This commit is contained in:
Max Carrara 2023-03-15 17:26:29 +01:00 committed by Thomas Lamprecht
parent 1e9befeb80
commit ded13125c2
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/PVE/APIServer/Formatter.pm
View File

@ -92,7 +92,7 @@ sub create_auth_cookie {
my $encticket = uri_escape($ticket); my $encticket = uri_escape($ticket);
return "${cookie_name}=$encticket; path=/; secure;"; return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
} }
sub create_auth_header { sub create_auth_header {

2
src/PVE/APIServer/Formatter/Bootstrap.pm
View File

@ -88,7 +88,7 @@ sub body {
$jssetup .= "PVE.delete_auth_cookie = function() {\n"; $jssetup .= "PVE.delete_auth_cookie = function() {\n";
if ($self->{cookie_name}) { if ($self->{cookie_name}) {
$jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure;\";\n"; $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n";
}; };
$jssetup .= "};\n"; $jssetup .= "};\n";