mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-21 16:06:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

cookies: Use SameSite=None if in an iframe from another site

Browse source
This commit is contained in:
Richard Hansen 2020-10-02 23:53:05 -04:00 committed by John McLear
parent bf53162cdd
commit 2db4b04af3
5 changed files with 71 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/node/hooks/express/webaccess.js
View file

@ -237,9 +237,7 @@ exports.expressConfigure = (hook_name, args, cb) => {
name: 'express_sid',
proxy: true,
cookie: {
// `Strict` is not used because it has few security benefits but significant usability
// drawbacks vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
sameSite: 'Lax',
sameSite: settings.cookie.sameSite,
/*
* The automatic express-session mechanism for determining if the
* application is being served over ssl is similar to the one used for