toolkit/utils: set SameSite attr of auth cookie to 'strict'
Overrides 'Ext.util.Cookies', optionally allowing the SameSite attribute of cookies to be defined. Using this override, the SameSite attribute of the auth cookie is now set to 'strict', prohibiting the cookie from being sent along in cross-site sub-requests or when the user navigates to a different site. Signed-off-by: Max Carrara <m.carrara@proxmox.com>
This commit is contained in:
parent
95fa855701
commit
aec7e8d23c
@ -702,6 +702,39 @@ Ext.define('Proxmox.dd.DragDropManager', {
|
||||
},
|
||||
});
|
||||
|
||||
// make it possible to set the SameSite attribute on cookies
|
||||
Ext.define('Proxmox.Cookies', {
|
||||
override: 'Ext.util.Cookies',
|
||||
|
||||
set: function(name, value, expires, path, domain, secure, samesite) {
|
||||
let attrs = [];
|
||||
|
||||
if (expires) {
|
||||
attrs.push("expires=" + expires.toUTCString());
|
||||
}
|
||||
|
||||
if (path === undefined) { // mimic original function's behaviour
|
||||
attrs.push("path=/");
|
||||
} else if (path) {
|
||||
attrs.push("path=" + path);
|
||||
}
|
||||
|
||||
if (domain) {
|
||||
attrs.push("domain=" + domain);
|
||||
}
|
||||
|
||||
if (secure === true) {
|
||||
attrs.push("secure");
|
||||
}
|
||||
|
||||
if (samesite && ["lax", "none", "strict"].includes(samesite.toLowerCase())) {
|
||||
attrs.push("samesite=" + samesite);
|
||||
}
|
||||
|
||||
document.cookie = name + "=" + escape(value) + "; " + attrs.join("; ");
|
||||
},
|
||||
});
|
||||
|
||||
// force alert boxes to be rendered with an Error Icon
|
||||
// since Ext.Msg is an object and not a prototype, we need to override it
|
||||
// after the framework has been initiated
|
||||
|
@ -308,7 +308,7 @@ utilities: {
|
||||
// that way the cookie gets deleted after the browser window is closed
|
||||
if (data.ticket) {
|
||||
Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;
|
||||
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true);
|
||||
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true, "strict");
|
||||
}
|
||||
|
||||
if (data.token) {
|
||||
@ -334,7 +334,7 @@ utilities: {
|
||||
return;
|
||||
}
|
||||
// ExtJS clear is basically the same, but browser may complain if any cookie isn't "secure"
|
||||
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true);
|
||||
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true, "strict");
|
||||
window.localStorage.removeItem("ProxmoxUser");
|
||||
},
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user