Fossil SCM
Set the "SameSite=strict" value on cookies (used for authentication) as a further defense-in-depth against CSRF attacks.
Commit
bc643c32f83424be76d6a1f260db1cb24c5fff3b947ccf9750ff81eca5ca27c7
Parent
bf9974cf8d410af…
1 file changed
+3
-4
+3
-4
| --- src/cgi.c | ||
| +++ src/cgi.c | ||
| @@ -314,17 +314,16 @@ | ||
| 314 | 314 | if( g.zBaseURL!=0 && fossil_strncmp(g.zBaseURL, "https:", 6)==0 ){ |
| 315 | 315 | zSecure = " secure;"; |
| 316 | 316 | } |
| 317 | 317 | if( lifetime!=0 ){ |
| 318 | 318 | blob_appendf(&extraHeader, |
| 319 | - "Set-Cookie: %s=%t; Path=%s; max-age=%d; HttpOnly; " | |
| 320 | - "%s Version=1\r\n", | |
| 319 | + "Set-Cookie: %s=%t; Path=%s; max-age=%d; HttpOnly; SameSite=strict;" | |
| 320 | + " %s\r\n", | |
| 321 | 321 | zName, lifetime>0 ? zValue : "null", zPath, lifetime, zSecure); |
| 322 | 322 | }else{ |
| 323 | 323 | blob_appendf(&extraHeader, |
| 324 | - "Set-Cookie: %s=%t; Path=%s; HttpOnly; " | |
| 325 | - "%s Version=1\r\n", | |
| 324 | + "Set-Cookie: %s=%t; Path=%s; HttpOnly; SameSite=strict; %s\r\n", | |
| 326 | 325 | zName, zValue, zPath, zSecure); |
| 327 | 326 | } |
| 328 | 327 | } |
| 329 | 328 | |
| 330 | 329 | |
| 331 | 330 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -314,17 +314,16 @@ | |
| 314 | if( g.zBaseURL!=0 && fossil_strncmp(g.zBaseURL, "https:", 6)==0 ){ |
| 315 | zSecure = " secure;"; |
| 316 | } |
| 317 | if( lifetime!=0 ){ |
| 318 | blob_appendf(&extraHeader, |
| 319 | "Set-Cookie: %s=%t; Path=%s; max-age=%d; HttpOnly; " |
| 320 | "%s Version=1\r\n", |
| 321 | zName, lifetime>0 ? zValue : "null", zPath, lifetime, zSecure); |
| 322 | }else{ |
| 323 | blob_appendf(&extraHeader, |
| 324 | "Set-Cookie: %s=%t; Path=%s; HttpOnly; " |
| 325 | "%s Version=1\r\n", |
| 326 | zName, zValue, zPath, zSecure); |
| 327 | } |
| 328 | } |
| 329 | |
| 330 | |
| 331 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -314,17 +314,16 @@ | |
| 314 | if( g.zBaseURL!=0 && fossil_strncmp(g.zBaseURL, "https:", 6)==0 ){ |
| 315 | zSecure = " secure;"; |
| 316 | } |
| 317 | if( lifetime!=0 ){ |
| 318 | blob_appendf(&extraHeader, |
| 319 | "Set-Cookie: %s=%t; Path=%s; max-age=%d; HttpOnly; SameSite=strict;" |
| 320 | " %s\r\n", |
| 321 | zName, lifetime>0 ? zValue : "null", zPath, lifetime, zSecure); |
| 322 | }else{ |
| 323 | blob_appendf(&extraHeader, |
| 324 | "Set-Cookie: %s=%t; Path=%s; HttpOnly; SameSite=strict; %s\r\n", |
| 325 | zName, zValue, zPath, zSecure); |
| 326 | } |
| 327 | } |
| 328 | |
| 329 | |
| 330 |