From 06ff0230474f9c3b5baa4e5827b897f42fe16213 Mon Sep 17 00:00:00 2001 From: Stefan Date: Wed, 8 Jun 2016 21:14:10 +0200 Subject: [PATCH] Add secure flag to cookies on client side if pad accessed through https --- src/static/js/pad_cookie.js | 7 ++++++- src/static/js/pad_utils.js | 7 +++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/static/js/pad_cookie.js b/src/static/js/pad_cookie.js index 9866dbfdd..b563a7e60 100644 --- a/src/static/js/pad_cookie.js +++ b/src/static/js/pad_cookie.js @@ -43,7 +43,8 @@ var padcookie = (function() { var expiresDate = new Date(); expiresDate.setFullYear(3000); - document.cookie = ('prefs=' + safeText + ';expires=' + expiresDate.toGMTString()); + var secure = isHttpsScheme() ? ";secure" : ""; + document.cookie = ('prefs=' + safeText + ';expires=' + expiresDate.toGMTString() + secure); } function parseCookie(text) @@ -79,6 +80,10 @@ var padcookie = (function() alreadyWarnedAboutNoCookies = true; } } + + function isHttpsScheme() { + return window.location.protocol == "https:"; + } var wasNoCookie = true; var cookieData = {}; diff --git a/src/static/js/pad_utils.js b/src/static/js/pad_utils.js index 5a7700c94..eafa14bb8 100644 --- a/src/static/js/pad_utils.js +++ b/src/static/js/pad_utils.js @@ -53,13 +53,16 @@ function createCookie(name, value, days, path){ /* Used by IE */ if(!path){ // IF the Path of the cookie isn't set then just create it on root path = "/"; } + + //Check if we accessed the pad over https + var secure = window.location.protocol == "https:" ? ";secure" : ""; //Check if the browser is IE and if so make sure the full path is set in the cookie if((navigator.appName == 'Microsoft Internet Explorer') || ((navigator.appName == 'Netscape') && (new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})").exec(navigator.userAgent) != null))){ - document.cookie = name + "=" + value + expires + "; path=/"; /* Note this bodge fix for IE is temporary until auth is rewritten */ + document.cookie = name + "=" + value + expires + "; path=/" + secure; /* Note this bodge fix for IE is temporary until auth is rewritten */ } else{ - document.cookie = name + "=" + value + expires + "; path=" + path; + document.cookie = name + "=" + value + expires + "; path=" + path + secure; } }