[pve-devel] [PATCH proxmox-widget-toolkit 1/4] toolkit/utils: set SameSite attr of auth cookie to 'strict'

[Max Carrara]

Overrides 'Ext.util.Cookies', optionally allowing the SameSite
attribute of cookies to be defined. Using this override, the SameSite
attribute of the auth cookie is now set to 'strict', prohibiting the
cookie from being sent along in cross-site sub-requests or when the
user navigates to a different site.

Signed-off-by: Max Carrara <m.carrara at proxmox.com>
---
 src/Toolkit.js | 33 +++++++++++++++++++++++++++++++++
 src/Utils.js   |  4 ++--
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/src/Toolkit.js b/src/Toolkit.js
index 4314fb4..1cf8bc7 100644
--- a/src/Toolkit.js
+++ b/src/Toolkit.js
@@ -702,6 +702,39 @@ Ext.define('Proxmox.dd.DragDropManager', {
     },
 });
 
+// make it possible to set the SameSite attribute on cookies
+Ext.define('Proxmox.Cookies', {
+    override: 'Ext.util.Cookies',
+
+    set: function(name, value, expires, path, domain, secure, samesite) {
+	let attrs = [];
+
+	if (expires) {
+	    attrs.push("expires=" + expires.toUTCString());
+	}
+
+	if (path === undefined) { // mimic original function's behaviour
+	    attrs.push("path=/");
+	} else if (path) {
+	    attrs.push("path=" + path);
+	}
+
+	if (domain) {
+	    attrs.push("domain=" + domain);
+	}
+
+	if (secure === true) {
+	    attrs.push("secure");
+	}
+
+	if (samesite && ["lax", "none", "strict"].includes(samesite.toLowerCase())) {
+	    attrs.push("samesite=" + samesite);
+	}
+
+	document.cookie = name + "=" + escape(value) + "; " + attrs.join("; ");
+    },
+});
+
 // force alert boxes to be rendered with an Error Icon
 // since Ext.Msg is an object and not a prototype, we need to override it
 // after the framework has been initiated
diff --git a/src/Utils.js b/src/Utils.js
index c9c00a9..2343afd 100644
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -306,7 +306,7 @@ utilities: {
 	// that way the cookie gets deleted after the browser window is closed
 	if (data.ticket) {
 	    Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;
-	    Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true);
+	    Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true, "strict");
 	}
 
 	if (data.token) {
@@ -332,7 +332,7 @@ utilities: {
 	    return;
 	}
 	// ExtJS clear is basically the same, but browser may complain if any cookie isn't "secure"
-	Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true);
+	Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true, "strict");
 	window.localStorage.removeItem("ProxmoxUser");
     },
 
-- 
2.39.2