Module: tools Branch: master Commit: ed449d824215cde3122cc8838f49952f3fe745a6 URL: https://source.winehq.org/git/tools.git/?a=commit;h=ed449d824215cde3122cc883...
Author: Francois Gouget fgouget@codeweavers.com Date: Wed Mar 30 19:03:44 2022 +0200
testbot/cgi: Use SameSite=Lax on our session cookies.
So far we were not specifying SameSite which means it defaulted to None in older browsers which potentially allowed some cross-site attacks. Newer browser would now default to Lax so explicitly use that.
Signed-off-by: Francois Gouget fgouget@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org
---
testbot/lib/WineTestBot/CGI/PageBase.pm | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/testbot/lib/WineTestBot/CGI/PageBase.pm b/testbot/lib/WineTestBot/CGI/PageBase.pm index 19a5aec..759cfd0 100644 --- a/testbot/lib/WineTestBot/CGI/PageBase.pm +++ b/testbot/lib/WineTestBot/CGI/PageBase.pm @@ -137,6 +137,7 @@ sub UnsetCookies($) -Expires => "Sun, 25 Jul 1997 05:00:00 GMT", -Domain => $ENV{"HTTP_HOST"}, -Path => "/", + -SameSite => "Lax", -Secure => $UseSSL); $Request->err_headers_out->add("Set-Cookie", $Cookie); } @@ -147,6 +148,7 @@ sub UnsetCookies($) -Expires => "Sun, 25 Jul 1997 05:00:00 GMT", -Domain => $ENV{"HTTP_HOST"}, -Path => "/", + -SameSite => "Lax", -Secure => !1); $Request->err_headers_out->add("Set-Cookie", $Cookie); } @@ -178,6 +180,7 @@ sub SetCookies($) $Cookie = CGI::Cookie->new(-Name => "SessionId", -Value => $Session->Id, -Expires => $Expire, + -SameSite => "Lax", -Secure => $UseSSL, -HttpOnly => 1); $Request->err_headers_out->add("Set-Cookie", $Cookie); @@ -199,6 +202,7 @@ sub SetCookies($) $Cookie = CGI::Cookie->new(-Name => "SessionActive", -Value => $SessionPermanent, -Expires => $Expire, + -SameSite => "Lax", -Secure => !1, -HttpOnly => 1); $Request->err_headers_out->add("Set-Cookie", $Cookie);
-
Alexandre Julliard