From faa10da86b34ba449ace6fcff0795170a31f6b1d Mon Sep 17 00:00:00 2001 From: David Mehren Date: Mon, 8 Jun 2020 15:27:31 +0200 Subject: [PATCH] Set all cookies with sameSite: strict Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite Signed-off-by: David Mehren --- public/js/index.js | 3 ++- public/js/lib/common/login.js | 6 ++++-- public/js/lib/editor/index.js | 24 ++++++++++++++++-------- public/js/locale.js | 3 ++- src/lib/app.ts | 3 ++- 5 files changed, 26 insertions(+), 13 deletions(-) diff --git a/public/js/index.js b/public/js/index.js index ca28c3c89..603802338 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -1594,7 +1594,8 @@ function toggleNightMode () { store.set('nightMode', !isActive) } else { Cookies.set('nightMode', !isActive, { - expires: 365 + expires: 365, + sameSite: 'strict' }) } } diff --git a/public/js/lib/common/login.js b/public/js/lib/common/login.js index 28e5b4703..931c115f4 100644 --- a/public/js/lib/common/login.js +++ b/public/js/lib/common/login.js @@ -19,11 +19,13 @@ export function resetCheckAuth () { export function setLoginState (bool, id) { Cookies.set('loginstate', bool, { - expires: 365 + expires: 365, + sameSite: 'strict' }) if (id) { Cookies.set('userid', id, { - expires: 365 + expires: 365, + sameSite: 'strict' }) } else { Cookies.remove('userid') diff --git a/public/js/lib/editor/index.js b/public/js/lib/editor/index.js index 3cbdd8e9e..a8b25e20d 100644 --- a/public/js/lib/editor/index.js +++ b/public/js/lib/editor/index.js @@ -344,12 +344,14 @@ export default class Editor { const setType = () => { if (this.editor.getOption('indentWithTabs')) { Cookies.set('indent_type', 'tab', { - expires: 365 + expires: 365, + sameSite: 'strict' }) type.text('Tab Size:') } else { Cookies.set('indent_type', 'space', { - expires: 365 + expires: 365, + sameSite: 'strict' }) type.text('Spaces:') } @@ -360,11 +362,13 @@ export default class Editor { var unit = this.editor.getOption('indentUnit') if (this.editor.getOption('indentWithTabs')) { Cookies.set('tab_size', unit, { - expires: 365 + expires: 365, + sameSite: 'strict' }) } else { Cookies.set('space_units', unit, { - expires: 365 + expires: 365, + sameSite: 'strict' }) } widthLabel.text(unit) @@ -432,7 +436,8 @@ export default class Editor { const setKeymapLabel = () => { var keymap = this.editor.getOption('keyMap') Cookies.set('keymap', keymap, { - expires: 365 + expires: 365, + sameSite: 'strict' }) label.text(keymap) this.restoreOverrideEditorKeymap() @@ -480,7 +485,8 @@ export default class Editor { } this.editor.setOption('theme', theme) Cookies.set('theme', theme, { - expires: 365 + expires: 365, + sameSite: 'strict' }) checkTheme() @@ -525,7 +531,8 @@ export default class Editor { this.editor.setOption('mode', mode) } Cookies.set('spellcheck', mode === 'spell-checker', { - expires: 365 + expires: 365, + sameSite: 'strict' }) checkSpellcheck() @@ -570,7 +577,8 @@ export default class Editor { ) if (overrideBrowserKeymap.is(':checked')) { Cookies.set('preferences-override-browser-keymap', true, { - expires: 365 + expires: 365, + sameSite: 'strict' }) this.restoreOverrideEditorKeymap() } else { diff --git a/public/js/locale.js b/public/js/locale.js index 71c0f99fb..670370d40 100644 --- a/public/js/locale.js +++ b/public/js/locale.js @@ -25,7 +25,8 @@ $('select.ui-locale option[value="' + lang + '"]').attr('selected', 'selected') locale.change(function () { Cookies.set('locale', $(this).val(), { - expires: 365 + expires: 365, + sameSite: 'strict' }) window.location.reload() }) diff --git a/src/lib/app.ts b/src/lib/app.ts index 3aa576637..bfc97410f 100644 --- a/src/lib/app.ts +++ b/src/lib/app.ts @@ -181,7 +181,8 @@ app.use(session({ saveUninitialized: true, // always create session to ensure the origin rolling: true, // reset maxAge on every response cookie: { - maxAge: config.sessionLife + maxAge: config.sessionLife, + sameSite: 'strict' }, store: sessionStore }))