From e77e7b165ac4920290015ec4b95e651730009edc Mon Sep 17 00:00:00 2001 From: David Mehren Date: Mon, 8 Jun 2020 15:27:31 +0200 Subject: Set all cookies with sameSite: strict Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite Signed-off-by: David Mehren --- app.js | 3 ++- public/js/index.js | 3 ++- public/js/lib/common/login.js | 6 ++++-- public/js/lib/editor/index.js | 24 ++++++++++++++++-------- public/js/locale.js | 3 ++- 5 files changed, 26 insertions(+), 13 deletions(-) diff --git a/app.js b/app.js index 930191ce..7a66a537 100644 --- a/app.js +++ b/app.js @@ -139,7 +139,8 @@ app.use(session({ saveUninitialized: true, // always create session to ensure the origin rolling: true, // reset maxAge on every response cookie: { - maxAge: config.sessionLife + maxAge: config.sessionLife, + sameSite: 'strict' }, store: sessionStore })) diff --git a/public/js/index.js b/public/js/index.js index de3c8a6d..ad20ffff 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -1596,7 +1596,8 @@ function toggleNightMode () { store.set('nightMode', !isActive) } else { Cookies.set('nightMode', !isActive, { - expires: 365 + expires: 365, + sameSite: 'strict' }) } } diff --git a/public/js/lib/common/login.js b/public/js/lib/common/login.js index 28e5b470..931c115f 100644 --- a/public/js/lib/common/login.js +++ b/public/js/lib/common/login.js @@ -19,11 +19,13 @@ export function resetCheckAuth () { export function setLoginState (bool, id) { Cookies.set('loginstate', bool, { - expires: 365 + expires: 365, + sameSite: 'strict' }) if (id) { Cookies.set('userid', id, { - expires: 365 + expires: 365, + sameSite: 'strict' }) } else { Cookies.remove('userid') diff --git a/public/js/lib/editor/index.js b/public/js/lib/editor/index.js index 8553caa9..07ef58a1 100644 --- a/public/js/lib/editor/index.js +++ b/public/js/lib/editor/index.js @@ -303,12 +303,14 @@ export default class Editor { const setType = () => { if (this.editor.getOption('indentWithTabs')) { Cookies.set('indent_type', 'tab', { - expires: 365 + expires: 365, + sameSite: 'strict' }) type.text('Tab Size:') } else { Cookies.set('indent_type', 'space', { - expires: 365 + expires: 365, + sameSite: 'strict' }) type.text('Spaces:') } @@ -319,11 +321,13 @@ export default class Editor { var unit = this.editor.getOption('indentUnit') if (this.editor.getOption('indentWithTabs')) { Cookies.set('tab_size', unit, { - expires: 365 + expires: 365, + sameSite: 'strict' }) } else { Cookies.set('space_units', unit, { - expires: 365 + expires: 365, + sameSite: 'strict' }) } widthLabel.text(unit) @@ -391,7 +395,8 @@ export default class Editor { const setKeymapLabel = () => { var keymap = this.editor.getOption('keyMap') Cookies.set('keymap', keymap, { - expires: 365 + expires: 365, + sameSite: 'strict' }) label.text(keymap) this.restoreOverrideEditorKeymap() @@ -439,7 +444,8 @@ export default class Editor { } this.editor.setOption('theme', theme) Cookies.set('theme', theme, { - expires: 365 + expires: 365, + sameSite: 'strict' }) checkTheme() @@ -484,7 +490,8 @@ export default class Editor { this.editor.setOption('mode', mode) } Cookies.set('spellcheck', mode === 'spell-checker', { - expires: 365 + expires: 365, + sameSite: 'strict' }) checkSpellcheck() @@ -529,7 +536,8 @@ export default class Editor { ) if (overrideBrowserKeymap.is(':checked')) { Cookies.set('preferences-override-browser-keymap', true, { - expires: 365 + expires: 365, + sameSite: 'strict' }) this.restoreOverrideEditorKeymap() } else { diff --git a/public/js/locale.js b/public/js/locale.js index 71c0f99f..670370d4 100644 --- a/public/js/locale.js +++ b/public/js/locale.js @@ -25,7 +25,8 @@ $('select.ui-locale option[value="' + lang + '"]').attr('selected', 'selected') locale.change(function () { Cookies.set('locale', $(this).val(), { - expires: 365 + expires: 365, + sameSite: 'strict' }) window.location.reload() }) -- cgit v1.2.3 From 2215da9431bf4a3a1f921a7542887525048d0c1c Mon Sep 17 00:00:00 2001 From: David Mehren Date: Mon, 8 Jun 2020 15:29:27 +0200 Subject: Disable unneeded 'io' cookie. According to https://github.com/socketio/socket.io/issues/2276 this cookie is not used for anything. To avoid browser warnings about the sameSite attribute, we disable it here. Signed-off-by: David Mehren --- app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app.js b/app.js index 7a66a537..265eb475 100644 --- a/app.js +++ b/app.js @@ -57,7 +57,7 @@ app.use(morgan('combined', { })) // socket io -var io = require('socket.io')(server) +var io = require('socket.io')(server, { cookie: false }) io.engine.ws = new (require('ws').Server)({ noServer: true, perMessageDeflate: false -- cgit v1.2.3