[pve-devel] [PATCH http-server 3/4] formatter/bootstrap: set SameSite attr of auth cookie to 'strict'

[Max Carrara]

This prohibits the cookie from being sent along in cross-site
sub-requests or when the user navigates to a different site.

Signed-off-by: Max Carrara <m.carrara at proxmox.com>
---
 src/PVE/APIServer/Formatter.pm           | 2 +-
 src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/APIServer/Formatter.pm b/src/PVE/APIServer/Formatter.pm
index 20455a0..142127a 100644
--- a/src/PVE/APIServer/Formatter.pm
+++ b/src/PVE/APIServer/Formatter.pm
@@ -92,7 +92,7 @@ sub create_auth_cookie {
 
     my $encticket = uri_escape($ticket);
 
-    return "${cookie_name}=$encticket; path=/; secure;";
+    return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
 }
 
 sub create_auth_header {
diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm
index e67554a..a1288d2 100644
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@@ -88,7 +88,7 @@ sub body {
     $jssetup .= "PVE.delete_auth_cookie = function() {\n";
 
     if ($self->{cookie_name}) {
-	$jssetup .= "  document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure;\";\n";
+	$jssetup .= "  document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n";
     };
     $jssetup .= "};\n";
 
-- 
2.39.2