Same site cookie fix - Ready for testing / merge (#3990)

* initial fix for httpprefs

* token

* express_sid fix

src/node/hooks/express/webaccess.js

@@ -128,6 +128,12 @@ exports.expressConfigure = function (hook_name, args, cb) {
     exports.secret = settings.sessionKey;
   }
 
+  if(settings.ssl){
+    var sameSite = "Strict";
+  }else{
+    var sameSite = "Lax";
+  }
+
   args.app.sessionStore = exports.sessionStore;
   args.app.use(sessionModule({
     secret: exports.secret,
@@ -137,6 +143,12 @@ exports.expressConfigure = function (hook_name, args, cb) {
     name: 'express_sid',
     proxy: true,
     cookie: {
+      /*
+       * Firefox started enforcing sameSite, see https://github.com/ether/etherpad-lite/issues/3989
+       * for details.  In response we set it based on if SSL certs are set in Etherpad.  Note that if
+       * You use Nginx or so for reverse proxy this may cause problems.  Use Certificate pinning to remedy.
+       */
+      sameSite: sameSite,
       /*
        * The automatic express-session mechanism for determining if the
        * application is being served over ssl is similar to the one used for

src/static/js/pad_cookie.js

@@ -46,7 +46,8 @@ var padcookie = (function()
     var expiresDate = new Date();
     expiresDate.setFullYear(3000);
     var secure = isHttpsScheme() ? ";secure" : "";
-    document.cookie = (cookieName + "=" + safeText + ";expires=" + expiresDate.toGMTString() + secure);
+    var sameSite = isHttpsScheme() ?  ";sameSite=Strict": ";sameSite=Lax";
+    document.cookie = (cookieName + "=" + safeText + ";expires=" + expiresDate.toGMTString() + secure + sameSite);
   }
 
   function parseCookie(text)

src/static/js/pad_utils.js

@@ -56,13 +56,15 @@ function createCookie(name, value, days, path){ /* Used by IE */
 
   //Check if we accessed the pad over https
   var secure = window.location.protocol == "https:" ? ";secure" : "";
+  var isHttpsScheme = window.location.protocol === "https:";
+  var sameSite = isHttpsScheme ?  ";sameSite=Strict": ";sameSite=Lax";
 
   //Check if the browser is IE and if so make sure the full path is set in the cookie
   if((navigator.appName == 'Microsoft Internet Explorer') || ((navigator.appName == 'Netscape') && (new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})").exec(navigator.userAgent) != null))){
-    document.cookie = name + "=" + value + expires + "; path=/" + secure; /* Note this bodge fix for IE is temporary until auth is rewritten */
+    document.cookie = name + "=" + value + expires + "; path=/" + secure + sameSite; /* Note this bodge fix for IE is temporary until auth is rewritten */
   }
   else{
-    document.cookie = name + "=" + value + expires + "; path=" + path + secure;
+    document.cookie = name + "=" + value + expires + "; path=" + path + secure + sameSite;
   }
 
 }