This prohibits the cookie from being sent along in cross-site sub-requests or when the user navigates to a different site.
Signed-off-by: Max Carrara <m.carr...@proxmox.com> --- src/PVE/APIServer/Formatter.pm | 2 +- src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PVE/APIServer/Formatter.pm b/src/PVE/APIServer/Formatter.pm index 20455a0..142127a 100644 --- a/src/PVE/APIServer/Formatter.pm +++ b/src/PVE/APIServer/Formatter.pm @@ -92,7 +92,7 @@ sub create_auth_cookie { my $encticket = uri_escape($ticket); - return "${cookie_name}=$encticket; path=/; secure;"; + return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;"; } sub create_auth_header { diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm index e67554a..a1288d2 100644 --- a/src/PVE/APIServer/Formatter/Bootstrap.pm +++ b/src/PVE/APIServer/Formatter/Bootstrap.pm @@ -88,7 +88,7 @@ sub body { $jssetup .= "PVE.delete_auth_cookie = function() {\n"; if ($self->{cookie_name}) { - $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure;\";\n"; + $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n"; }; $jssetup .= "};\n"; -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel