Proxmox/proxmox-widget-toolkit
5
0
Fork 0
Code Pull Requests Releases Activity

toolkit/utils: set SameSite attr of auth cookie to 'strict'

Browse Source 
Overrides 'Ext.util.Cookies', optionally allowing the SameSite
attribute of cookies to be defined. Using this override, the SameSite
attribute of the auth cookie is now set to 'strict', prohibiting the
cookie from being sent along in cross-site sub-requests or when the
user navigates to a different site.

Signed-off-by: Max Carrara <m.carrara@proxmox.com>
This commit is contained in:
Max Carrara 2023-03-15 17:26:27 +01:00 committed by Thomas Lamprecht
parent 95fa855701
commit aec7e8d23c
2 changed files with 35 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/Toolkit.js
View File

@ -702,6 +702,39 @@ Ext.define('Proxmox.dd.DragDropManager', {
},
});
// make it possible to set the SameSite attribute on cookies
Ext.define('Proxmox.Cookies', {
override: 'Ext.util.Cookies',
set: function(name, value, expires, path, domain, secure, samesite) {
let attrs = [];
if (expires) {
attrs.push("expires=" + expires.toUTCString());
}
if (path === undefined) { // mimic original function's behaviour
attrs.push("path=/");
} else if (path) {
attrs.push("path=" + path);
}
if (domain) {
attrs.push("domain=" + domain);
}
if (secure === true) {
attrs.push("secure");
}
if (samesite && ["lax", "none", "strict"].includes(samesite.toLowerCase())) {
attrs.push("samesite=" + samesite);
}
document.cookie = name + "=" + escape(value) + "; " + attrs.join("; ");
},
});
// force alert boxes to be rendered with an Error Icon
// since Ext.Msg is an object and not a prototype, we need to override it
// after the framework has been initiated

4
src/Utils.js
View File

@ -308,7 +308,7 @@ utilities: {
// that way the cookie gets deleted after the browser window is closed
if (data.ticket) {
Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true);
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true, "strict");
}
if (data.token) {
@ -334,7 +334,7 @@ utilities: {
return;
}
// ExtJS clear is basically the same, but browser may complain if any cookie isn't "secure"
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true);
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true, "strict");
window.localStorage.removeItem("ProxmoxUser");
},