From e608f571bb34089ca162b9568ce52e019013b7d9 Mon Sep 17 00:00:00 2001 From: Michal Kolodziejski Date: Thu, 1 Apr 2021 10:28:46 +0200 Subject: [PATCH 1/3] Set Lax for the SameSite attribute Signed-off-by: Michal Kolodziejski --- app.js | 5 +++-- public/js/index.js | 3 ++- public/js/lib/common/login.js | 6 ++++-- public/js/lib/editor/index.js | 30 ++++++++++++++++++++---------- public/js/locale.js | 3 ++- 5 files changed, 31 insertions(+), 16 deletions(-) diff --git a/app.js b/app.js index 700f3137c0..d20f0a35f2 100644 --- a/app.js +++ b/app.js @@ -69,7 +69,7 @@ app.use(morgan('combined', { })) // socket io -var io = require('socket.io')(server) +var io = require('socket.io')(server, { cookie: false }) io.engine.ws = new (require('ws').Server)({ noServer: true, perMessageDeflate: false @@ -148,7 +148,8 @@ app.use(session({ saveUninitialized: true, // always create session to ensure the origin rolling: true, // reset maxAge on every response cookie: { - maxAge: config.sessionLife + maxAge: config.sessionLife, + sameSite: 'lax' }, store: sessionStore })) diff --git a/public/js/index.js b/public/js/index.js index 7f4f576ec7..bdbbd68188 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -1600,7 +1600,8 @@ function toggleNightMode () { store.set('nightMode', !isActive) } else { Cookies.set('nightMode', !isActive, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) } } diff --git a/public/js/lib/common/login.js b/public/js/lib/common/login.js index 28e5b4703b..ca09431f91 100644 --- a/public/js/lib/common/login.js +++ b/public/js/lib/common/login.js @@ -19,11 +19,13 @@ export function resetCheckAuth () { export function setLoginState (bool, id) { Cookies.set('loginstate', bool, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) if (id) { Cookies.set('userid', id, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) } else { Cookies.remove('userid') diff --git a/public/js/lib/editor/index.js b/public/js/lib/editor/index.js index eb887da694..a3a45619e8 100644 --- a/public/js/lib/editor/index.js +++ b/public/js/lib/editor/index.js @@ -450,12 +450,14 @@ export default class Editor { const setType = () => { if (this.editor.getOption('indentWithTabs')) { Cookies.set('indent_type', 'tab', { - expires: 365 + expires: 365, + sameSite: 'Lax' }) type.text('Tab Size:') } else { Cookies.set('indent_type', 'space', { - expires: 365 + expires: 365, + sameSite: 'Lax' }) type.text('Spaces:') } @@ -466,11 +468,13 @@ export default class Editor { var unit = this.editor.getOption('indentUnit') if (this.editor.getOption('indentWithTabs')) { Cookies.set('tab_size', unit, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) } else { Cookies.set('space_units', unit, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) } widthLabel.text(unit) @@ -538,7 +542,8 @@ export default class Editor { const setKeymapLabel = () => { var keymap = this.editor.getOption('keyMap') Cookies.set('keymap', keymap, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) label.text(keymap) this.restoreOverrideEditorKeymap() @@ -573,7 +578,8 @@ export default class Editor { const setTheme = theme => { this.editor.setOption('theme', theme) Cookies.set('theme', theme, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) this.statusIndicators.find('.status-theme li').removeClass('active') this.statusIndicators.find(`.status-theme li[value="${theme}"]`).addClass('active') @@ -675,7 +681,8 @@ export default class Editor { spellcheckToggle.removeClass('active') Cookies.set('spellcheck', false, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) self.editor.setOption('mode', defaultEditorMode) @@ -683,7 +690,8 @@ export default class Editor { spellcheckToggle.addClass('active') Cookies.set('spellcheck', lang, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) self.editor.setOption('mode', 'spell-checker') @@ -704,7 +712,8 @@ export default class Editor { this.editor.setOption('gutters', [lintGutter, ...gutters]) } Cookies.set('linter', true, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) } else { this.editor.setOption('gutters', gutters.filter(g => g !== lintGutter)) @@ -753,7 +762,8 @@ export default class Editor { ) if (overrideBrowserKeymap.is(':checked')) { Cookies.set('preferences-override-browser-keymap', true, { - expires: 365 + expires: 365, + sameSite: 'Lax' }) this.restoreOverrideEditorKeymap() } else { diff --git a/public/js/locale.js b/public/js/locale.js index 71c0f99fb5..a782236ff6 100644 --- a/public/js/locale.js +++ b/public/js/locale.js @@ -25,7 +25,8 @@ $('select.ui-locale option[value="' + lang + '"]').attr('selected', 'selected') locale.change(function () { Cookies.set('locale', $(this).val(), { - expires: 365 + expires: 365, + sameSite: 'Lax' }) window.location.reload() }) From c8eab9477ee94a3f16e81561db750ef000231883 Mon Sep 17 00:00:00 2001 From: Michal Kolodziejski Date: Wed, 5 May 2021 07:47:41 +0200 Subject: [PATCH 2/3] Set secure attribute on cookies if possible Signed-off-by: Michal Kolodziejski --- public/js/index.js | 3 ++- public/js/lib/common/login.js | 6 ++++-- public/js/lib/editor/index.js | 30 ++++++++++++++++++++---------- public/js/locale.js | 3 ++- 4 files changed, 28 insertions(+), 14 deletions(-) diff --git a/public/js/index.js b/public/js/index.js index bdbbd68188..af8fcf3a98 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -1601,7 +1601,8 @@ function toggleNightMode () { } else { Cookies.set('nightMode', !isActive, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) } } diff --git a/public/js/lib/common/login.js b/public/js/lib/common/login.js index ca09431f91..6e2557f153 100644 --- a/public/js/lib/common/login.js +++ b/public/js/lib/common/login.js @@ -20,12 +20,14 @@ export function resetCheckAuth () { export function setLoginState (bool, id) { Cookies.set('loginstate', bool, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) if (id) { Cookies.set('userid', id, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) } else { Cookies.remove('userid') diff --git a/public/js/lib/editor/index.js b/public/js/lib/editor/index.js index a3a45619e8..d405a08b35 100644 --- a/public/js/lib/editor/index.js +++ b/public/js/lib/editor/index.js @@ -451,13 +451,15 @@ export default class Editor { if (this.editor.getOption('indentWithTabs')) { Cookies.set('indent_type', 'tab', { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) type.text('Tab Size:') } else { Cookies.set('indent_type', 'space', { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) type.text('Spaces:') } @@ -469,12 +471,14 @@ export default class Editor { if (this.editor.getOption('indentWithTabs')) { Cookies.set('tab_size', unit, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) } else { Cookies.set('space_units', unit, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) } widthLabel.text(unit) @@ -543,7 +547,8 @@ export default class Editor { var keymap = this.editor.getOption('keyMap') Cookies.set('keymap', keymap, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) label.text(keymap) this.restoreOverrideEditorKeymap() @@ -579,7 +584,8 @@ export default class Editor { this.editor.setOption('theme', theme) Cookies.set('theme', theme, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) this.statusIndicators.find('.status-theme li').removeClass('active') this.statusIndicators.find(`.status-theme li[value="${theme}"]`).addClass('active') @@ -682,7 +688,8 @@ export default class Editor { Cookies.set('spellcheck', false, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) self.editor.setOption('mode', defaultEditorMode) @@ -691,7 +698,8 @@ export default class Editor { Cookies.set('spellcheck', lang, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) self.editor.setOption('mode', 'spell-checker') @@ -713,7 +721,8 @@ export default class Editor { } Cookies.set('linter', true, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) } else { this.editor.setOption('gutters', gutters.filter(g => g !== lintGutter)) @@ -763,7 +772,8 @@ export default class Editor { if (overrideBrowserKeymap.is(':checked')) { Cookies.set('preferences-override-browser-keymap', true, { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) this.restoreOverrideEditorKeymap() } else { diff --git a/public/js/locale.js b/public/js/locale.js index a782236ff6..110b427b1d 100644 --- a/public/js/locale.js +++ b/public/js/locale.js @@ -26,7 +26,8 @@ $('select.ui-locale option[value="' + lang + '"]').attr('selected', 'selected') locale.change(function () { Cookies.set('locale', $(this).val(), { expires: 365, - sameSite: 'Lax' + sameSite: 'Lax', + secure: window.location.protocol === 'https:' }) window.location.reload() }) From 01392c9238c3ae832674b587a8b6b6e10b1ec708 Mon Sep 17 00:00:00 2001 From: Michal Kolodziejski Date: Tue, 3 Aug 2021 12:12:27 +0200 Subject: [PATCH 3/3] Upgrade js-cookie to v3.0.0 Signed-off-by: Michal Kolodziejski --- package-lock.json | 6 +++--- package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 6abf438585..806db038eb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9293,9 +9293,9 @@ } }, "js-cookie": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.1.tgz", - "integrity": "sha512-HvdH2LzI/EAZcUwA8+0nKNtWHqS+ZmijLA30RwZA0bo7ToCckjK5MkGhjED9KoRcXO6BaGI3I9UIzSA1FKFPOQ==", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.0.tgz", + "integrity": "sha512-oUbbplKuH07/XX2YD2+Q+GMiPpnVXaRz8npE7suhBH9QEkJe2W7mQ6rwuMXHue3fpfcftQwzgyvGzIHyfCSngQ==", "dev": true }, "js-string-escape": { diff --git a/package.json b/package.json index 7306892dd4..5a66a32371 100644 --- a/package.json +++ b/package.json @@ -143,7 +143,7 @@ "jquery": "~3.4.1", "jquery-mousewheel": "~3.1.13", "jquery-ui": "~1.12.1", - "js-cookie": "~2.2.0", + "js-cookie": "^3.0.0", "js-yaml": "~3.13.1", "jsonlint": "~1.6.2", "keymaster": "~1.6.2",