cookies: Use SameSite=None if in an iframe from another site

2025-04-23 00:46:16 -04:00 · 2020-10-02 23:53:05 -04:00 · 2020-10-02 23:53:05 -04:00 · 2db4b04af3
commit 2db4b04af3
parent bf53162cdd
5 changed files with 71 additions and 4 deletions
--- a/src/node/utils/Settings.js
+++ b/src/node/utils/Settings.js
@ -268,6 +268,24 @@ exports.sessionKey = false;
 */
 exports.trustProxy = false;

+/*
+ * Settings controlling the session cookie issued by Etherpad.
+ */
+exports.cookie = {
+  /*
+   * Value of the SameSite cookie property. "Lax" is recommended unless
+   * Etherpad will be embedded in an iframe from another site, in which case
+   * this must be set to "None". Note: "None" will not work (the browser will
+   * not send the cookie to Etherpad) unless https is used to access Etherpad
+   * (either directly or via a reverse proxy with "trustProxy" set to true).
+   *
+   * "Strict" is not recommended because it has few security benefits but
+   * significant usability drawbacks vs. "Lax". See
+   * https://stackoverflow.com/q/41841880 for discussion.
+   */
+  sameSite: 'Lax',
+};
+
 /*
 * This setting is used if you need authentication and/or
 * authorization. Note: /admin always requires authentication, and