This prohibits the cookie from being sent along in cross-site
sub-requests or when the user navigates to a different site.
Signed-off-by: Max Carrara <m.carr...@proxmox.com>
---
src/PVE/APIServer/Formatter.pm | 2 +-
src/PVE/APIServer/Formatter/Bootstrap.pm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/APIServer/Formatter.pm b/src/PVE/APIServer/Formatter.pm
index 20455a0..142127a 100644
--- a/src/PVE/APIServer/Formatter.pm
+++ b/src/PVE/APIServer/Formatter.pm
@@ -92,7 +92,7 @@ sub create_auth_cookie {
my $encticket = uri_escape($ticket);
- return "${cookie_name}=$encticket; path=/; secure;";
+ return "${cookie_name}=$encticket; path=/; secure; SameSite=Strict;";
}
sub create_auth_header {
diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm
b/src/PVE/APIServer/Formatter/Bootstrap.pm
index e67554a..a1288d2 100644
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@@ -88,7 +88,7 @@ sub body {
$jssetup .= "PVE.delete_auth_cookie = function() {\n";
if ($self->{cookie_name}) {
- $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu,
01 Jan 1970 00:00:01 GMT; path=/; secure;\";\n";
+ $jssetup .= " document.cookie = \"$self->{cookie_name}=; expires=Thu,
01 Jan 1970 00:00:01 GMT; path=/; secure; SameSite=Strict;\";\n";
};
$jssetup .= "};\n";
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
