From 81fdf8ebfce549b7e262ffd2c528bc521ed92a80 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 4 May 2024 12:12:31 +0200 Subject: [PATCH] re-lax samesite cookie policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As per discussion in code review: > Cookies are always scoped in browsers. That's not the issue. SameSite attribute just protects against CSRF attacks. But Get requests (aka links) are also "protected" with Strict, which breaks it… and for users that is highly confusing when they (apparently arbitrarily) do not get the language they have set before when clicking a link. https://github.com/PrivateBin/PrivateBin/pull/1287#discussion_r1589299210 --- CHANGELOG.md | 2 +- js/privatebin.js | 2 +- lib/Controller.php | 4 ++-- tpl/bootstrap.php | 2 +- tpl/bootstrap5.php | 2 +- tpl/page.php | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f0fa2a33..18804dbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ * ADDED: Optional Bootstrap CSS 5.3.3 based template, use configuration `template = "bootstrap5"` to switch to it (#728) * CHANGED: "Send" button now labeled "Create" (#946) * CHANGED: Drop some PHP < 5.6 fallbacks, minimum version is PHP 7.3 as of release 1.6.0 -* CHANGED: Set `lang` cookie with strict `SameSite` property +* CHANGED: Set `lang` cookie with lax `SameSite` property * FIXED: Add cache control headers also to API calls (#1263) * FIXED: Shortened paste URL does not appear in email (#606) diff --git a/js/privatebin.js b/js/privatebin.js index fdb0902c..e9c0dcde 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -3855,7 +3855,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { */ function setLanguage(event) { - document.cookie = 'lang=' + $(event.target).data('lang') + '; SameSite=Strict; Secure'; + document.cookie = 'lang=' + $(event.target).data('lang') + '; SameSite=Lax; Secure'; UiHelper.reloadHome(); event.preventDefault(); } diff --git a/lib/Controller.php b/lib/Controller.php index 65bfa650..7fd317ad 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -178,7 +178,7 @@ class Controller // force default language, if language selection is disabled and a default is set if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) { $_COOKIE['lang'] = $lang; - setcookie('lang', $lang, array('SameSite' => 'Strict', 'Secure' => true)); + setcookie('lang', $lang, array('SameSite' => 'Lax', 'Secure' => true)); } } @@ -389,7 +389,7 @@ class Controller $languageselection = ''; if ($this->_conf->getKey('languageselection')) { $languageselection = I18n::getLanguage(); - setcookie('lang', $languageselection, array('SameSite' => 'Strict', 'Secure' => true)); + setcookie('lang', $languageselection, array('SameSite' => 'Lax', 'Secure' => true)); } // strip policies that are unsupported in meta tag diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 0cf27f2f..9b6a7c58 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -73,7 +73,7 @@ endif; ?> - + diff --git a/tpl/bootstrap5.php b/tpl/bootstrap5.php index 90fb2a99..e8ea5ea7 100644 --- a/tpl/bootstrap5.php +++ b/tpl/bootstrap5.php @@ -57,7 +57,7 @@ endif; ?> - + diff --git a/tpl/page.php b/tpl/page.php index dbbc5631..a5cd9fbb 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -51,7 +51,7 @@ endif; ?> - +