[Rt-commit] rt branch 5.0/add-samesite-cookie-options-alt created. rt-5.0.2-277-g552c940b7e
BPS Git Server
git at git.bestpractical.com
Fri Jun 17 23:29:58 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/add-samesite-cookie-options-alt has been created
at 552c940b7e3054ab282a41cf8201423426ae143f (commit)
- Log -----------------------------------------------------------------
commit 552c940b7e3054ab282a41cf8201423426ae143f
Author: Brian Conry <bconry at bestpractical.com>
Date: Fri Jun 17 17:17:01 2022 -0500
Add SameSite to cookies from WebSameSiteCookies
This change adds the SameSite option to RT's session cookies, with a
default value based on the value of WebSecureCookies, using 'Lax'
when WebSecureCookies is 0 and 'Strict' when WebSecureCookies is 1.
It also provides a config option, WebSameSiteCookies to allow the value
to be changed from the default. Current standards allow values of
'Strict', 'Lax', and 'None'. Any value other than these will cause a
warning to be logged. Current standards also require the Secure option
to be set on the cookie when using the 'None' value, so a warning is
logged if 'None' is specified and WebSecureCookies isn't set.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 1b7720241e..37df8ce0e7 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1414,6 +1414,20 @@ connections.
Set($WebSecureCookies, 0);
+=item C<$WebSameSiteCookies>
+
+The default value depends on the value of C<WebSecureCookies>, using
+'Lax' when C<WebSecureCookies> is set to 0 and 'Strict' when it is set
+to 1. Setting a value for C<WebSameSiteCookies> overrides the default
+behavior. The value may also be set to 'None', which current web
+standards require C<WebSecureCookies> be set to 1. See
+https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+for more details on what this cookie option means.
+
+=cut
+
+Set($WebSameSiteCookies, '');
+
=item C<$WebHttpOnlyCookies>
Default RT's session cookie to not being directly accessible to
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 89276eeba7..81d0d17d31 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1778,6 +1778,26 @@ our %META;
WebRemoteUserGecos => {
Widget => '/Widgets/Form/Boolean',
},
+ WebSameSiteCookies => {
+ Widget => '/Widgets/Form/String',
+ PostLoadCheck => sub {
+ my $self = shift;
+ my $value = $self->Get('WebSameSiteCookies') || '';
+
+ # while both of these detected conditions are against current web standards,
+ # web standards have been known to change so these are only logged as warnings.
+ if ($value !~ /^(?:Strict|Lax|)$/i) {
+ if ($value =~ /^None$/i) {
+ if (not $self->Get('WebSecureCookies')) {
+ RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' and WebSecureCookies is not set, browsers may reject the cookies.");
+ }
+ }
+ else {
+ RT::Logger->warning("The config option 'WebSameSiteCookies' has a value '$value' not known to be in the standard.");
+ }
+ }
+ },
+ },
WebSecureCookies => {
Widget => '/Widgets/Form/Boolean',
},
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 82bd3d04c6..4e9a8ea737 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -967,6 +967,7 @@ sub SendSessionCookie {
-name => _SessionCookieName(),
-value => $HTML::Mason::Commands::session{_session_id},
-path => RT->Config->Get('WebPath'),
+ -samesite => ( RT->Config->Get('WebSameSiteCookies') or RT->Config->Get('WebSecureCookies') ? 'Strict' : 'Lax' ),
-secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
-httponly => ( RT->Config->Get('WebHttpOnlyCookies') ? 1 : 0 ),
);
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list