From: Max Carrara <m.carrara@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-widget-toolkit 1/4] toolkit/utils: set SameSite attr of auth cookie to 'strict'
Date: Wed, 15 Mar 2023 17:26:27 +0100 [thread overview]
Message-ID: <20230315162630.289768-2-m.carrara@proxmox.com> (raw)
In-Reply-To: <20230315162630.289768-1-m.carrara@proxmox.com>
Overrides 'Ext.util.Cookies', optionally allowing the SameSite
attribute of cookies to be defined. Using this override, the SameSite
attribute of the auth cookie is now set to 'strict', prohibiting the
cookie from being sent along in cross-site sub-requests or when the
user navigates to a different site.
Signed-off-by: Max Carrara <m.carrara@proxmox.com>
---
src/Toolkit.js | 33 +++++++++++++++++++++++++++++++++
src/Utils.js | 4 ++--
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/src/Toolkit.js b/src/Toolkit.js
index 4314fb4..1cf8bc7 100644
--- a/src/Toolkit.js
+++ b/src/Toolkit.js
@@ -702,6 +702,39 @@ Ext.define('Proxmox.dd.DragDropManager', {
},
});
+// make it possible to set the SameSite attribute on cookies
+Ext.define('Proxmox.Cookies', {
+ override: 'Ext.util.Cookies',
+
+ set: function(name, value, expires, path, domain, secure, samesite) {
+ let attrs = [];
+
+ if (expires) {
+ attrs.push("expires=" + expires.toUTCString());
+ }
+
+ if (path === undefined) { // mimic original function's behaviour
+ attrs.push("path=/");
+ } else if (path) {
+ attrs.push("path=" + path);
+ }
+
+ if (domain) {
+ attrs.push("domain=" + domain);
+ }
+
+ if (secure === true) {
+ attrs.push("secure");
+ }
+
+ if (samesite && ["lax", "none", "strict"].includes(samesite.toLowerCase())) {
+ attrs.push("samesite=" + samesite);
+ }
+
+ document.cookie = name + "=" + escape(value) + "; " + attrs.join("; ");
+ },
+});
+
// force alert boxes to be rendered with an Error Icon
// since Ext.Msg is an object and not a prototype, we need to override it
// after the framework has been initiated
diff --git a/src/Utils.js b/src/Utils.js
index c9c00a9..2343afd 100644
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -306,7 +306,7 @@ utilities: {
// that way the cookie gets deleted after the browser window is closed
if (data.ticket) {
Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;
- Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true);
+ Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true, "strict");
}
if (data.token) {
@@ -332,7 +332,7 @@ utilities: {
return;
}
// ExtJS clear is basically the same, but browser may complain if any cookie isn't "secure"
- Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true);
+ Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true, "strict");
window.localStorage.removeItem("ProxmoxUser");
},
--
2.39.2
next prev parent reply other threads:[~2023-03-15 16:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-15 16:26 [pve-devel] [PATCH widget-toolkit/http-server/apiclient 0/4] Set SameSite=Strict on Auth Cookies Max Carrara
2023-03-15 16:26 ` Max Carrara [this message]
2023-03-15 16:26 ` [pve-devel] [PATCH proxmox-widget-toolkit 2/4] toolkit/utils: fix whitespace Max Carrara
2023-03-15 16:26 ` [pve-devel] [PATCH http-server 3/4] formatter/bootstrap: set SameSite attr of auth cookie to 'strict' Max Carrara
2023-03-15 16:26 ` [pve-devel] [PATCH apiclient 4/4] lwp: " Max Carrara
2023-06-06 15:17 ` [pve-devel] applied-series: [PATCH widget-toolkit/http-server/apiclient 0/4] Set SameSite=Strict on Auth Cookies Thomas Lamprecht
2023-06-23 8:14 ` Max Carrara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230315162630.289768-2-m.carrara@proxmox.com \
--to=m.carrara@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox