[pve-devel] applied: [PATCH http-server] fix external linking when cookie was acquired via HTML formatter

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Oct 15 15:31:32 CEST 2024


Am 14/10/2024 um 14:13 schrieb Dominik Csapak:
> currently we set the SameSite attribute to `Strict` which prevents
> linking from external sites with the cookies set.
> (For a detailed explanation of this see [0])
> 
> so with the same rationale as in [0], set the cookie SameSite attribute
> to 'Lax', which is very similar behavior as 'Strict' but allows linking
> from external resources[1].
> 
> 0: https://lore.proxmox.com/pve-devel/20241007150251.3295598-1-d.csapak@proxmox.com/
> 1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> this is thought as a follow up to [0], but can be applied independently
> since most users will not use the HTML formatter normally.
> (Since it's mostly intended for debugging/developing)
> 
>  src/PVE/APIServer/Formatter.pm           | 2 +-
>  src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
>

applied, thanks!




More information about the pve-devel mailing list