cookies: Use `SameSite=None` if in an iframe from another site

pull/4392/head
Richard Hansen 2020-10-02 23:53:05 -04:00 committed by John McLear
parent bf53162cdd
commit 2db4b04af3
5 changed files with 71 additions and 4 deletions

View File

@ -336,6 +336,24 @@
*/ */
"trustProxy": "${TRUST_PROXY:false}", "trustProxy": "${TRUST_PROXY:false}",
/*
* Settings controlling the session cookie issued by Etherpad.
*/
"cookie": {
/*
* Value of the SameSite cookie property. "Lax" is recommended unless
* Etherpad will be embedded in an iframe from another site, in which case
* this must be set to "None". Note: "None" will not work (the browser will
* not send the cookie to Etherpad) unless https is used to access Etherpad
* (either directly or via a reverse proxy with "trustProxy" set to true).
*
* "Strict" is not recommended because it has few security benefits but
* significant usability drawbacks vs. "Lax". See
* https://stackoverflow.com/q/41841880 for discussion.
*/
"sameSite": "${COOKIE_SAME_SITE:Lax}"
},
/* /*
* Privacy: disable IP logging * Privacy: disable IP logging
*/ */

View File

@ -339,6 +339,24 @@
*/ */
"trustProxy": false, "trustProxy": false,
/*
* Settings controlling the session cookie issued by Etherpad.
*/
"cookie": {
/*
* Value of the SameSite cookie property. "Lax" is recommended unless
* Etherpad will be embedded in an iframe from another site, in which case
* this must be set to "None". Note: "None" will not work (the browser will
* not send the cookie to Etherpad) unless https is used to access Etherpad
* (either directly or via a reverse proxy with "trustProxy" set to true).
*
* "Strict" is not recommended because it has few security benefits but
* significant usability drawbacks vs. "Lax". See
* https://stackoverflow.com/q/41841880 for discussion.
*/
"sameSite": "Lax"
},
/* /*
* Privacy: disable IP logging * Privacy: disable IP logging
*/ */

View File

@ -237,9 +237,7 @@ exports.expressConfigure = (hook_name, args, cb) => {
name: 'express_sid', name: 'express_sid',
proxy: true, proxy: true,
cookie: { cookie: {
// `Strict` is not used because it has few security benefits but significant usability sameSite: settings.cookie.sameSite,
// drawbacks vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
sameSite: 'Lax',
/* /*
* The automatic express-session mechanism for determining if the * The automatic express-session mechanism for determining if the
* application is being served over ssl is similar to the one used for * application is being served over ssl is similar to the one used for

View File

@ -268,6 +268,24 @@ exports.sessionKey = false;
*/ */
exports.trustProxy = false; exports.trustProxy = false;
/*
* Settings controlling the session cookie issued by Etherpad.
*/
exports.cookie = {
/*
* Value of the SameSite cookie property. "Lax" is recommended unless
* Etherpad will be embedded in an iframe from another site, in which case
* this must be set to "None". Note: "None" will not work (the browser will
* not send the cookie to Etherpad) unless https is used to access Etherpad
* (either directly or via a reverse proxy with "trustProxy" set to true).
*
* "Strict" is not recommended because it has few security benefits but
* significant usability drawbacks vs. "Lax". See
* https://stackoverflow.com/q/41841880 for discussion.
*/
sameSite: 'Lax',
};
/* /*
* This setting is used if you need authentication and/or * This setting is used if you need authentication and/or
* authorization. Note: /admin always requires authentication, and * authorization. Note: /admin always requires authentication, and

View File

@ -528,13 +528,28 @@ padutils.setupGlobalExceptionHandler = setupGlobalExceptionHandler;
padutils.binarySearch = require('./ace2_common').binarySearch; padutils.binarySearch = require('./ace2_common').binarySearch;
// https://stackoverflow.com/a/42660748
function inThirdPartyIframe() {
try {
return (!window.top.location.hostname);
} catch (e) {
return true;
}
}
// This file is included from Node so that it can reuse randomString, but Node doesn't have a global // This file is included from Node so that it can reuse randomString, but Node doesn't have a global
// window object. // window object.
if (typeof window !== 'undefined') { if (typeof window !== 'undefined') {
exports.Cookies = require('js-cookie/src/js.cookie'); exports.Cookies = require('js-cookie/src/js.cookie');
// Use `SameSite=Lax`, unless Etherpad is embedded in an iframe from another site in which case
// use `SameSite=None`. For iframes from another site, only `None` has a chance of working
// because the cookies are third-party (not same-site). Many browsers/users block third-party
// cookies, but maybe blocked is better than definitely blocked (which would happen with `Lax`
// or `Strict`). Note: `None` will not work unless secure is true.
//
// `Strict` is not used because it has few security benefits but significant usability drawbacks // `Strict` is not used because it has few security benefits but significant usability drawbacks
// vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion. // vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
exports.Cookies.defaults.sameSite = 'Lax'; exports.Cookies.defaults.sameSite = inThirdPartyIframe() ? 'None' : 'Lax';
exports.Cookies.defaults.secure = window.location.protocol === 'https:'; exports.Cookies.defaults.secure = window.location.protocol === 'https:';
} }
exports.randomString = randomString; exports.randomString = randomString;