cookies: Use SameSite=None if in an iframe from another site

2025-04-30 04:09:13 -04:00 · 2020-10-02 23:53:05 -04:00 · 2020-10-02 23:53:05 -04:00 · 2db4b04af3
commit 2db4b04af3
parent bf53162cdd
5 changed files with 71 additions and 4 deletions
--- a/settings.json.docker
+++ b/settings.json.docker
@ -336,6 +336,24 @@
   */
  "trustProxy": "${TRUST_PROXY:false}",

+  /*
+   * Settings controlling the session cookie issued by Etherpad.
+   */
+  "cookie": {
+    /*
+     * Value of the SameSite cookie property. "Lax" is recommended unless
+     * Etherpad will be embedded in an iframe from another site, in which case
+     * this must be set to "None". Note: "None" will not work (the browser will
+     * not send the cookie to Etherpad) unless https is used to access Etherpad
+     * (either directly or via a reverse proxy with "trustProxy" set to true).
+     *
+     * "Strict" is not recommended because it has few security benefits but
+     * significant usability drawbacks vs. "Lax". See
+     * https://stackoverflow.com/q/41841880 for discussion.
+     */
+    "sameSite": "${COOKIE_SAME_SITE:Lax}"
+  },
+
  /*
   * Privacy: disable IP logging
   */