[tools] testbot/cgi: Use SameSite=Lax on our session cookies.

Francois Gouget fgouget at codeweavers.com
Wed Mar 30 12:03:44 CDT 2022 

So far we were not specifying SameSite which means it defaulted to None
in older browsers which potentially allowed some cross-site attacks.
Newer browser would now default to Lax so explicitly use that.

Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
---
My understanding of SameSite=Strict is that one would not be logged in
after following a link found in one of the TestBot's emails. That does
not seem very practical so SameSite=Lax seems like a better choice.

It implies that the TestBot should not allow sensitive changes through
the Get method... On the one hand I don't think the TestBot makes a
distinction between Get and Post. But on the other hand I don't think
one can do anything sensitive with the TestBot (at least for non-admin
users). This latter part probably requires some more investigation 
independently from this patch.
---
 testbot/lib/WineTestBot/CGI/PageBase.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/testbot/lib/WineTestBot/CGI/PageBase.pm b/testbot/lib/WineTestBot/CGI/PageBase.pm
index a54b0e206..4837b9f54 100644
--- a/testbot/lib/WineTestBot/CGI/PageBase.pm
+++ b/testbot/lib/WineTestBot/CGI/PageBase.pm
@@ -137,6 +137,7 @@ sub UnsetCookies($)
                                   -Expires => "Sun, 25 Jul 1997 05:00:00 GMT",
                                   -Domain  => $ENV{"HTTP_HOST"},
                                   -Path    => "/",
+                                  -SameSite => "Lax",
                                   -Secure  => $UseSSL);
     $Request->err_headers_out->add("Set-Cookie", $Cookie);
   }
@@ -147,6 +148,7 @@ sub UnsetCookies($)
                                   -Expires => "Sun, 25 Jul 1997 05:00:00 GMT",
                                   -Domain  => $ENV{"HTTP_HOST"},
                                   -Path    => "/",
+                                  -SameSite => "Lax",
                                   -Secure  => !1);
     $Request->err_headers_out->add("Set-Cookie", $Cookie);
   }
@@ -178,6 +180,7 @@ sub SetCookies($)
       $Cookie = CGI::Cookie->new(-Name    => "SessionId",
                                  -Value   => $Session->Id,
                                  -Expires => $Expire,
+                                 -SameSite => "Lax",
                                  -Secure  => $UseSSL,
                                  -HttpOnly => 1);
       $Request->err_headers_out->add("Set-Cookie", $Cookie);
@@ -199,6 +202,7 @@ sub SetCookies($)
     $Cookie = CGI::Cookie->new(-Name    => "SessionActive",
                                -Value   => $SessionPermanent,
                                -Expires => $Expire,
+                               -SameSite => "Lax",
                                -Secure  => !1,
                                -HttpOnly => 1);
     $Request->err_headers_out->add("Set-Cookie", $Cookie);
-- 
2.30.2

More information about the wine-devel mailing list