Proxmox/pve-http-server
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-http-server.git synced 2025-01-03 01:17:57 +03:00
Code Releases Activity

fix external linking when cookie was acquired via HTML formatter

Browse Source 
currently we set the SameSite attribute to `Strict` which prevents
linking from external sites with the cookies set.
(For a detailed explanation of this see [0])

so with the same rationale as in [0], set the cookie SameSite attribute
to 'Lax', which is very similar behavior as 'Strict' but allows linking
from external resources[1].

0: https://lore.proxmox.com/pve-devel/20241007150251.3295598-1-d.csapak@proxmox.com/
1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2024-10-14 14:13:40 +02:00 committed by Thomas Lamprecht
parent 2ef480f664
commit c03f5d7319
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/PVE/APIServer/Formatter.pm
View File

@ -92,7 +92,7 @@ sub create_auth_cookie {
my $encticket = uri_escape($ticket);
return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
return "${cookie_name}=$encticket; path=/; secure; SameSite=Lax;";
}
sub create_auth_header {

2
src/PVE/APIServer/Formatter/Bootstrap.pm
View File

@ -89,7 +89,7 @@ sub body {
$jssetup .= "PVE.delete_auth_cookie = function() {\n";
if ($self->{cookie_name}) {
$jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n";
$jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Lax;\";\n";
};
$jssetup .= "};\n";