public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH http-server] fix external linking when cookie was acquired via HTML formatter
@ 2024-10-14 12:13 Dominik Csapak
  2024-10-15 13:31 ` [pve-devel] applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Dominik Csapak @ 2024-10-14 12:13 UTC (permalink / raw)
  To: pve-devel

currently we set the SameSite attribute to `Strict` which prevents
linking from external sites with the cookies set.
(For a detailed explanation of this see [0])

so with the same rationale as in [0], set the cookie SameSite attribute
to 'Lax', which is very similar behavior as 'Strict' but allows linking
from external resources[1].

0: https://lore.proxmox.com/pve-devel/20241007150251.3295598-1-d.csapak@proxmox.com/
1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
this is thought as a follow up to [0], but can be applied independently
since most users will not use the HTML formatter normally.
(Since it's mostly intended for debugging/developing)

 src/PVE/APIServer/Formatter.pm           | 2 +-
 src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/APIServer/Formatter.pm b/src/PVE/APIServer/Formatter.pm
index 142127a..a8550a6 100644
--- a/src/PVE/APIServer/Formatter.pm
+++ b/src/PVE/APIServer/Formatter.pm
@@ -92,7 +92,7 @@ sub create_auth_cookie {
 
     my $encticket = uri_escape($ticket);
 
-    return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
+    return "${cookie_name}=$encticket; path=/; secure; SameSite=Lax;";
 }
 
 sub create_auth_header {
diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm
index 2558703..6be0049 100644
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@@ -89,7 +89,7 @@ sub body {
     $jssetup .= "PVE.delete_auth_cookie = function() {\n";
 
     if ($self->{cookie_name}) {
-	$jssetup .= "  document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n";
+	$jssetup .= "  document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Lax;\";\n";
     };
     $jssetup .= "};\n";
 
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-10-15 13:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-10-14 12:13 [pve-devel] [PATCH http-server] fix external linking when cookie was acquired via HTML formatter Dominik Csapak
2024-10-15 13:31 ` [pve-devel] applied: " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal