* [pve-devel] [PATCH http-server] fix external linking when cookie was acquired via HTML formatter
@ 2024-10-14 12:13 Dominik Csapak
2024-10-15 13:31 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Dominik Csapak @ 2024-10-14 12:13 UTC (permalink / raw)
To: pve-devel
currently we set the SameSite attribute to `Strict` which prevents
linking from external sites with the cookies set.
(For a detailed explanation of this see [0])
so with the same rationale as in [0], set the cookie SameSite attribute
to 'Lax', which is very similar behavior as 'Strict' but allows linking
from external resources[1].
0: https://lore.proxmox.com/pve-devel/20241007150251.3295598-1-d.csapak@proxmox.com/
1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
this is thought as a follow up to [0], but can be applied independently
since most users will not use the HTML formatter normally.
(Since it's mostly intended for debugging/developing)
src/PVE/APIServer/Formatter.pm | 2 +-
src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/APIServer/Formatter.pm b/src/PVE/APIServer/Formatter.pm
index 142127a..a8550a6 100644
--- a/src/PVE/APIServer/Formatter.pm
+++ b/src/PVE/APIServer/Formatter.pm
@@ -92,7 +92,7 @@ sub create_auth_cookie {
my $encticket = uri_escape($ticket);
- return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
+ return "${cookie_name}=$encticket; path=/; secure; SameSite=Lax;";
}
sub create_auth_header {
diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm
index 2558703..6be0049 100644
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@@ -89,7 +89,7 @@ sub body {
$jssetup .= "PVE.delete_auth_cookie = function() {\n";
if ($self->{cookie_name}) {
- $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n";
+ $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Lax;\";\n";
};
$jssetup .= "};\n";
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH http-server] fix external linking when cookie was acquired via HTML formatter
2024-10-14 12:13 [pve-devel] [PATCH http-server] fix external linking when cookie was acquired via HTML formatter Dominik Csapak
@ 2024-10-15 13:31 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2024-10-15 13:31 UTC (permalink / raw)
To: Proxmox VE development discussion, Dominik Csapak
Am 14/10/2024 um 14:13 schrieb Dominik Csapak:
> currently we set the SameSite attribute to `Strict` which prevents
> linking from external sites with the cookies set.
> (For a detailed explanation of this see [0])
>
> so with the same rationale as in [0], set the cookie SameSite attribute
> to 'Lax', which is very similar behavior as 'Strict' but allows linking
> from external resources[1].
>
> 0: https://lore.proxmox.com/pve-devel/20241007150251.3295598-1-d.csapak@proxmox.com/
> 1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> this is thought as a follow up to [0], but can be applied independently
> since most users will not use the HTML formatter normally.
> (Since it's mostly intended for debugging/developing)
>
> src/PVE/APIServer/Formatter.pm | 2 +-
> src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-10-15 13:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-10-14 12:13 [pve-devel] [PATCH http-server] fix external linking when cookie was acquired via HTML formatter Dominik Csapak
2024-10-15 13:31 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox