8 files changed, 19 insertions, 4 deletions

diff --git a/lib/config/default.js b/lib/config/default.js
index 9284882a..38bb164b 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -27,6 +27,7 @@ module.exports = {
     upgradeInsecureRequests: 'auto',
     reportURI: undefined
   },
+  cookiePolicy: 'lax',
   protocolUseSSL: false,
   useCDN: false,
   allowAnonymous: true,
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 2d76286f..cf9fb5a1 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -22,6 +22,7 @@ module.exports = {
     enable: toBooleanConfig(process.env.CMD_CSP_ENABLE),
     reportURI: process.env.CMD_CSP_REPORTURI
   },
+  cookiePolicy: process.env.CMD_COOKIE_POLICY,
   protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL),
   allowOrigin: toArrayConfig(process.env.CMD_ALLOW_ORIGIN),
   useCDN: toBooleanConfig(process.env.CMD_USECDN),
diff --git a/lib/config/index.js b/lib/config/index.js
index ee4817b3..b5461a8d 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -51,6 +51,11 @@ if (['debug', 'verbose', 'info', 'warn', 'error'].includes(config.loglevel)) {
   logger.error('Selected loglevel %s doesn\'t exist, using default level \'debug\'. Available options: debug, verbose, info, warn, error', config.loglevel)
 }
 
+if (!['strict', 'lax', 'none'].includes(config.cookiePolicy)) {
+  logger.error('Cookie SameSite policy %s does not exist. Falling back to lax. Available values are: strict, lax, none.', config.cookiePolicy)
+  config.cookiePolicy = 'lax'
+}
+
 // load LDAP CA
 if (config.ldap.tlsca) {
   let ca = config.ldap.tlsca.split(',')
diff --git a/lib/csp.js b/lib/csp.js
index fe8bea01..24399436 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -32,6 +32,10 @@ var googleAnalyticsDirectives = {
   scriptSrc: ['https://www.google-analytics.com']
 }
 
+var dropboxDirectives = {
+  scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
+}
+
 CspStrategy.computeDirectives = function () {
   var directives = {}
   mergeDirectives(directives, config.csp.directives)
@@ -39,6 +43,7 @@ CspStrategy.computeDirectives = function () {
   mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
   mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
   mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
+  mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
   if (!areAllInlineScriptsAllowed(directives)) {
     addInlineScriptExceptions(directives)
   }
diff --git a/lib/utils.js b/lib/utils.js
index 270cbd6a..23873ffc 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -7,7 +7,7 @@ exports.isSQLite = function isSQLite (sequelize) {
 exports.getImageMimeType = function getImageMimeType (imagePath) {
   var fileExtension = /[^.]+$/.exec(imagePath)
 
-  switch (fileExtension[0]) {
+  switch (fileExtension[0].toLowerCase()) {
     case 'bmp':
       return 'image/bmp'
     case 'gif':
diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js
index 1865ad54..6e3e8373 100644
--- a/lib/web/auth/oauth2/index.js
+++ b/lib/web/auth/oauth2/index.js
@@ -90,7 +90,8 @@ passport.use(new OAuth2CustomStrategy({
   clientSecret: config.oauth2.clientSecret,
   callbackURL: config.serverURL + '/auth/oauth2/callback',
   userProfileURL: config.oauth2.userProfileURL,
-  scope: config.oauth2.scope
+  scope: config.oauth2.scope,
+  state: true
 }, passportGeneralCallback))
 
 oauth2Auth.get('/auth/oauth2', function (req, res, next) {
diff --git a/lib/web/note/util.js b/lib/web/note/util.js
index f1af1300..9c6c1c8a 100644
--- a/lib/web/note/util.js
+++ b/lib/web/note/util.js
@@ -59,7 +59,8 @@ exports.newNote = function (req, res, body) {
   models.Note.create({
     ownerId: owner,
     alias: req.alias ? req.alias : null,
-    content: body
+    content: body,
+    title: models.Note.parseNoteTitle(body)
   }).then(function (note) {
     return res.redirect(config.serverURL + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id)))
   }).catch(function (err) {
diff --git a/lib/web/statusRouter.js b/lib/web/statusRouter.js
index 025aafd4..febe2df3 100644
--- a/lib/web/statusRouter.js
+++ b/lib/web/statusRouter.js
@@ -97,7 +97,8 @@ statusRouter.get('/config', function (req, res) {
     version: config.fullversion,
     DROPBOX_APP_KEY: config.dropbox.appKey,
     allowedUploadMimeTypes: config.allowedUploadMimeTypes,
-    linkifyHeaderStyle: config.linkifyHeaderStyle
+    linkifyHeaderStyle: config.linkifyHeaderStyle,
+    cookiePolicy: config.cookiePolicy
   }
   res.set({
     'Cache-Control': 'private', // only cache by client