Same site cookie fix - Ready for testing / merge (#3990)

* initial fix for httpprefs * token * express_sid fix
2025-01-31 19:02:59 +01:00 · 2020-07-10 08:43:20 +01:00 · 2020-07-10 08:43:20 +01:00 · b15154cc23
commit b15154cc23
parent 3ea8d571e7
3 changed files with 18 additions and 3 deletions
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -128,6 +128,12 @@ exports.expressConfigure = function (hook_name, args, cb) {
    exports.secret = settings.sessionKey;
  }

+  if(settings.ssl){
+    var sameSite = "Strict";
+  }else{
+    var sameSite = "Lax";
+  }
+
  args.app.sessionStore = exports.sessionStore;
  args.app.use(sessionModule({
    secret: exports.secret,
@ -137,6 +143,12 @@ exports.expressConfigure = function (hook_name, args, cb) {
    name: 'express_sid',
    proxy: true,
    cookie: {
+      /*
+       * Firefox started enforcing sameSite, see https://github.com/ether/etherpad-lite/issues/3989
+       * for details.  In response we set it based on if SSL certs are set in Etherpad.  Note that if
+       * You use Nginx or so for reverse proxy this may cause problems.  Use Certificate pinning to remedy.
+       */
+      sameSite: sameSite,
      /*
       * The automatic express-session mechanism for determining if the
       * application is being served over ssl is similar to the one used for
--- a/src/static/js/pad_cookie.js
+++ b/src/static/js/pad_cookie.js
@ -46,7 +46,8 @@ var padcookie = (function()
    var expiresDate = new Date();
    expiresDate.setFullYear(3000);
    var secure = isHttpsScheme() ? ";secure" : "";
-    document.cookie = (cookieName + "=" + safeText + ";expires=" + expiresDate.toGMTString() + secure);
+    var sameSite = isHttpsScheme() ?  ";sameSite=Strict": ";sameSite=Lax";
+    document.cookie = (cookieName + "=" + safeText + ";expires=" + expiresDate.toGMTString() + secure + sameSite);
  }

  function parseCookie(text)
--- a/src/static/js/pad_utils.js
+++ b/src/static/js/pad_utils.js
@ -56,13 +56,15 @@ function createCookie(name, value, days, path){ /* Used by IE */

  //Check if we accessed the pad over https
  var secure = window.location.protocol == "https:" ? ";secure" : "";
+  var isHttpsScheme = window.location.protocol === "https:";
+  var sameSite = isHttpsScheme ?  ";sameSite=Strict": ";sameSite=Lax";

  //Check if the browser is IE and if so make sure the full path is set in the cookie
  if((navigator.appName == 'Microsoft Internet Explorer') || ((navigator.appName == 'Netscape') && (new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})").exec(navigator.userAgent) != null))){
-    document.cookie = name + "=" + value + expires + "; path=/" + secure; /* Note this bodge fix for IE is temporary until auth is rewritten */
+    document.cookie = name + "=" + value + expires + "; path=/" + secure + sameSite; /* Note this bodge fix for IE is temporary until auth is rewritten */
  }
  else{
-    document.cookie = name + "=" + value + expires + "; path=" + path + secure;
+    document.cookie = name + "=" + value + expires + "; path=" + path + secure + sameSite;
  }

 }