From b9a642da1ec290386d04245eb17175866e40308c Mon Sep 17 00:00:00 2001 From: shibayashi Date: Tue, 28 Aug 2018 00:40:58 +0200 Subject: [PATCH 1/4] Add Secure and SameSite cookie flags --- config/config.exs | 3 ++- lib/pleroma/web/endpoint.ex | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/config/config.exs b/config/config.exs index eaf20e8f9..d5e28f586 100644 --- a/config/config.exs +++ b/config/config.exs @@ -24,7 +24,8 @@ config :pleroma, Pleroma.Web.Endpoint, protocol: "https", secret_key_base: "aK4Abxf29xU9TTDKre9coZPUgevcVCFQJe/5xP/7Lt4BEif6idBIbjupVbOrbKxl", render_errors: [view: Pleroma.Web.ErrorView, accepts: ~w(json)], - pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2] + pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2], + secure_cookie_flag: true # Configures Elixir's Logger config :logger, :console, diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex index cbedca004..e81bc75b6 100644 --- a/lib/pleroma/web/endpoint.ex +++ b/lib/pleroma/web/endpoint.ex @@ -49,7 +49,9 @@ defmodule Pleroma.Web.Endpoint do Plug.Session, store: :cookie, key: "_pleroma_key", - signing_salt: "CqaoopA2" + signing_salt: "CqaoopA2", + secure: Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag), + extra: "SameSite=Lax" ) plug(Pleroma.Web.Router) From 0c4493f144dc4cbac6c4d090c9f5be67fa88599b Mon Sep 17 00:00:00 2001 From: shibayashi Date: Tue, 28 Aug 2018 00:47:34 +0200 Subject: [PATCH 2/4] Fix formatting --- lib/pleroma/web/endpoint.ex | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex index e81bc75b6..7bbb9480d 100644 --- a/lib/pleroma/web/endpoint.ex +++ b/lib/pleroma/web/endpoint.ex @@ -50,7 +50,8 @@ defmodule Pleroma.Web.Endpoint do store: :cookie, key: "_pleroma_key", signing_salt: "CqaoopA2", - secure: Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag), + secure: + Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag), extra: "SameSite=Lax" ) From 4656a07e9e394f451ea48646901ae61c7f0c9f86 Mon Sep 17 00:00:00 2001 From: shibayashi Date: Tue, 28 Aug 2018 14:03:29 +0200 Subject: [PATCH 3/4] Set SameSite flag to 'Strict' --- lib/pleroma/web/endpoint.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex index 7bbb9480d..17f6b9bb6 100644 --- a/lib/pleroma/web/endpoint.ex +++ b/lib/pleroma/web/endpoint.ex @@ -52,7 +52,7 @@ defmodule Pleroma.Web.Endpoint do signing_salt: "CqaoopA2", secure: Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag), - extra: "SameSite=Lax" + extra: "SameSite=Strict" ) plug(Pleroma.Web.Router) From 18ad8aaecfae154deabab6f82da0c06dcf91d4c1 Mon Sep 17 00:00:00 2001 From: shibayashi Date: Tue, 28 Aug 2018 22:34:31 +0200 Subject: [PATCH 4/4] Explicitly set 'http_only' to true --- lib/pleroma/web/endpoint.ex | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex index 17f6b9bb6..6e60c9017 100644 --- a/lib/pleroma/web/endpoint.ex +++ b/lib/pleroma/web/endpoint.ex @@ -50,6 +50,7 @@ defmodule Pleroma.Web.Endpoint do store: :cookie, key: "_pleroma_key", signing_salt: "CqaoopA2", + http_only: true, secure: Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag), extra: "SameSite=Strict"