[tools] testbot/cgi: Use SameSite=Lax on our session cookies.
Francois Gouget
fgouget at codeweavers.com
Wed Mar 30 12:03:44 CDT 2022
So far we were not specifying SameSite which means it defaulted to None
in older browsers which potentially allowed some cross-site attacks.
Newer browser would now default to Lax so explicitly use that.
Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
---
My understanding of SameSite=Strict is that one would not be logged in
after following a link found in one of the TestBot's emails. That does
not seem very practical so SameSite=Lax seems like a better choice.
It implies that the TestBot should not allow sensitive changes through
the Get method... On the one hand I don't think the TestBot makes a
distinction between Get and Post. But on the other hand I don't think
one can do anything sensitive with the TestBot (at least for non-admin
users). This latter part probably requires some more investigation
independently from this patch.
---
testbot/lib/WineTestBot/CGI/PageBase.pm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/testbot/lib/WineTestBot/CGI/PageBase.pm b/testbot/lib/WineTestBot/CGI/PageBase.pm
index a54b0e206..4837b9f54 100644
--- a/testbot/lib/WineTestBot/CGI/PageBase.pm
+++ b/testbot/lib/WineTestBot/CGI/PageBase.pm
@@ -137,6 +137,7 @@ sub UnsetCookies($)
-Expires => "Sun, 25 Jul 1997 05:00:00 GMT",
-Domain => $ENV{"HTTP_HOST"},
-Path => "/",
+ -SameSite => "Lax",
-Secure => $UseSSL);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
}
@@ -147,6 +148,7 @@ sub UnsetCookies($)
-Expires => "Sun, 25 Jul 1997 05:00:00 GMT",
-Domain => $ENV{"HTTP_HOST"},
-Path => "/",
+ -SameSite => "Lax",
-Secure => !1);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
}
@@ -178,6 +180,7 @@ sub SetCookies($)
$Cookie = CGI::Cookie->new(-Name => "SessionId",
-Value => $Session->Id,
-Expires => $Expire,
+ -SameSite => "Lax",
-Secure => $UseSSL,
-HttpOnly => 1);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
@@ -199,6 +202,7 @@ sub SetCookies($)
$Cookie = CGI::Cookie->new(-Name => "SessionActive",
-Value => $SessionPermanent,
-Expires => $Expire,
+ -SameSite => "Lax",
-Secure => !1,
-HttpOnly => 1);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
--
2.30.2
More information about the wine-devel
mailing list