[pve-devel] [PATCH http-server] fix external linking when cookie was acquired via HTML formatter

[pve-devel] [PATCH http-server] fix external linking when cookie was acquired via HTML formatter

[Dominik Csapak]

currently we set the SameSite attribute to `Strict` which prevents
linking from external sites with the cookies set.
(For a detailed explanation of this see [0])

so with the same rationale as in [0], set the cookie SameSite attribute
to 'Lax', which is very similar behavior as 'Strict' but allows linking
from external resources[1].

0: https://lore.proxmox.com/pve-devel/20241007150251.3295598-1-d.csapak@proxmox.com/
1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
this is thought as a follow up to [0], but can be applied independently
since most users will not use the HTML formatter normally.
(Since it's mostly intended for debugging/developing)

 src/PVE/APIServer/Formatter.pm           | 2 +-
 src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/APIServer/Formatter.pm b/src/PVE/APIServer/Formatter.pm
index 142127a..a8550a6 100644
--- a/src/PVE/APIServer/Formatter.pm
+++ b/src/PVE/APIServer/Formatter.pm
@@ -92,7 +92,7 @@ sub create_auth_cookie {
 
     my $encticket = uri_escape($ticket);
 
-    return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
+    return "${cookie_name}=$encticket; path=/; secure; SameSite=Lax;";
 }
 
 sub create_auth_header {
diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm
index 2558703..6be0049 100644
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@@ -89,7 +89,7 @@ sub body {
     $jssetup .= "PVE.delete_auth_cookie = function() {\n";
 
     if ($self->{cookie_name}) {
-	$jssetup .= "  document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n";
+	$jssetup .= "  document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Lax;\";\n";
     };
     $jssetup .= "};\n";
 
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH http-server] fix external linking when cookie was acquired via HTML formatter

[Thomas Lamprecht]

Am 14/10/2024 um 14:13 schrieb Dominik Csapak:
> currently we set the SameSite attribute to `Strict` which prevents
> linking from external sites with the cookies set.
> (For a detailed explanation of this see [0])
> 
> so with the same rationale as in [0], set the cookie SameSite attribute
> to 'Lax', which is very similar behavior as 'Strict' but allows linking
> from external resources[1].
> 
> 0: https://lore.proxmox.com/pve-devel/20241007150251.3295598-1-d.csapak@proxmox.com/
> 1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute
> 
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> this is thought as a follow up to [0], but can be applied independently
> since most users will not use the HTML formatter normally.
> (Since it's mostly intended for debugging/developing)
> 
>  src/PVE/APIServer/Formatter.pm           | 2 +-
>  src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
>

applied, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel