Francois Gouget : testbot/cgi: Use SameSite=Lax on our session cookies.
Alexandre Julliard
julliard at winehq.org
Wed Mar 30 15:17:55 CDT 2022
Module: tools
Branch: master
Commit: ed449d824215cde3122cc8838f49952f3fe745a6
URL: https://source.winehq.org/git/tools.git/?a=commit;h=ed449d824215cde3122cc8838f49952f3fe745a6
Author: Francois Gouget <fgouget at codeweavers.com>
Date: Wed Mar 30 19:03:44 2022 +0200
testbot/cgi: Use SameSite=Lax on our session cookies.
So far we were not specifying SameSite which means it defaulted to None
in older browsers which potentially allowed some cross-site attacks.
Newer browser would now default to Lax so explicitly use that.
Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
testbot/lib/WineTestBot/CGI/PageBase.pm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/testbot/lib/WineTestBot/CGI/PageBase.pm b/testbot/lib/WineTestBot/CGI/PageBase.pm
index 19a5aec..759cfd0 100644
--- a/testbot/lib/WineTestBot/CGI/PageBase.pm
+++ b/testbot/lib/WineTestBot/CGI/PageBase.pm
@@ -137,6 +137,7 @@ sub UnsetCookies($)
-Expires => "Sun, 25 Jul 1997 05:00:00 GMT",
-Domain => $ENV{"HTTP_HOST"},
-Path => "/",
+ -SameSite => "Lax",
-Secure => $UseSSL);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
}
@@ -147,6 +148,7 @@ sub UnsetCookies($)
-Expires => "Sun, 25 Jul 1997 05:00:00 GMT",
-Domain => $ENV{"HTTP_HOST"},
-Path => "/",
+ -SameSite => "Lax",
-Secure => !1);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
}
@@ -178,6 +180,7 @@ sub SetCookies($)
$Cookie = CGI::Cookie->new(-Name => "SessionId",
-Value => $Session->Id,
-Expires => $Expire,
+ -SameSite => "Lax",
-Secure => $UseSSL,
-HttpOnly => 1);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
@@ -199,6 +202,7 @@ sub SetCookies($)
$Cookie = CGI::Cookie->new(-Name => "SessionActive",
-Value => $SessionPermanent,
-Expires => $Expire,
+ -SameSite => "Lax",
-Secure => !1,
-HttpOnly => 1);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
More information about the wine-cvs
mailing list