re-lax samesite cookie policy

As per discussion in code review:

> Cookies are always scoped in browsers. That's not the issue. SameSite attribute just protects against CSRF attacks. But Get requests (aka links) are also "protected" with Strict, which breaks it… and for users that is highly confusing when they (apparently arbitrarily) do not get the language they have set before when clicking a link.

https://github.com/PrivateBin/PrivateBin/pull/1287#discussion_r1589299210
This commit is contained in:
El RIDO 2024-05-04 12:12:31 +02:00
parent 5425ea79f8
commit 81fdf8ebfc
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
6 changed files with 7 additions and 7 deletions

View File

@ -6,7 +6,7 @@
* ADDED: Optional Bootstrap CSS 5.3.3 based template, use configuration `template = "bootstrap5"` to switch to it (#728)
* CHANGED: "Send" button now labeled "Create" (#946)
* CHANGED: Drop some PHP < 5.6 fallbacks, minimum version is PHP 7.3 as of release 1.6.0
* CHANGED: Set `lang` cookie with strict `SameSite` property
* CHANGED: Set `lang` cookie with lax `SameSite` property
* FIXED: Add cache control headers also to API calls (#1263)
* FIXED: Shortened paste URL does not appear in email (#606)

View File

@ -3855,7 +3855,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
*/
function setLanguage(event)
{
document.cookie = 'lang=' + $(event.target).data('lang') + '; SameSite=Strict; Secure';
document.cookie = 'lang=' + $(event.target).data('lang') + '; SameSite=Lax; Secure';
UiHelper.reloadHome();
event.preventDefault();
}

View File

@ -178,7 +178,7 @@ class Controller
// force default language, if language selection is disabled and a default is set
if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) {
$_COOKIE['lang'] = $lang;
setcookie('lang', $lang, array('SameSite' => 'Strict', 'Secure' => true));
setcookie('lang', $lang, array('SameSite' => 'Lax', 'Secure' => true));
}
}
@ -389,7 +389,7 @@ class Controller
$languageselection = '';
if ($this->_conf->getKey('languageselection')) {
$languageselection = I18n::getLanguage();
setcookie('lang', $languageselection, array('SameSite' => 'Strict', 'Secure' => true));
setcookie('lang', $languageselection, array('SameSite' => 'Lax', 'Secure' => true));
}
// strip policies that are unsupported in meta tag

View File

@ -73,7 +73,7 @@ endif;
?>
<script type="text/javascript" data-cfasync="false" src="js/purify-3.0.8.js" integrity="sha512-wWBDKh5wYGtJ1Df+PPZIn59jHVBnJ4/Yb2W/pVnzaXab8cmlZnHVx+FEBGu5JX39s3P2Qlt+aNQou0XnjW86hg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-dnAMHEB/N45qtF/qOwHyoNge04nmKMJGAsIiqGMANHRwH9bkJBGdoJU58L9W0iqs7t20Tei+1dWFOU3h6j6lYQ==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-hqatct2X1I7GZZFAvbnaWU+QPz+cIhBQIxhXtR50aq+pTfhvUljqzqoLi4Yli6P+GIV6IFlm5Yf/uvdEvSjMcA==" crossorigin="anonymous"></script>
<!-- icon -->
<link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" />
<link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" />

View File

@ -57,7 +57,7 @@ endif;
?>
<script type="text/javascript" data-cfasync="false" src="js/purify-3.0.8.js" integrity="sha512-wWBDKh5wYGtJ1Df+PPZIn59jHVBnJ4/Yb2W/pVnzaXab8cmlZnHVx+FEBGu5JX39s3P2Qlt+aNQou0XnjW86hg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-dnAMHEB/N45qtF/qOwHyoNge04nmKMJGAsIiqGMANHRwH9bkJBGdoJU58L9W0iqs7t20Tei+1dWFOU3h6j6lYQ==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-hqatct2X1I7GZZFAvbnaWU+QPz+cIhBQIxhXtR50aq+pTfhvUljqzqoLi4Yli6P+GIV6IFlm5Yf/uvdEvSjMcA==" crossorigin="anonymous"></script>
<!-- icon -->
<link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" />
<link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" />

View File

@ -51,7 +51,7 @@ endif;
?>
<script type="text/javascript" data-cfasync="false" src="js/purify-3.0.8.js" integrity="sha512-wWBDKh5wYGtJ1Df+PPZIn59jHVBnJ4/Yb2W/pVnzaXab8cmlZnHVx+FEBGu5JX39s3P2Qlt+aNQou0XnjW86hg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-dnAMHEB/N45qtF/qOwHyoNge04nmKMJGAsIiqGMANHRwH9bkJBGdoJU58L9W0iqs7t20Tei+1dWFOU3h6j6lYQ==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-hqatct2X1I7GZZFAvbnaWU+QPz+cIhBQIxhXtR50aq+pTfhvUljqzqoLi4Yli6P+GIV6IFlm5Yf/uvdEvSjMcA==" crossorigin="anonymous"></script>
<!-- icon -->
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />