Merge pull request ether#8 from pedrobmarin/samesite-none-settings

Add settings option to force SameSite=None server side
pedrobmarin · Aug 14, 2020 · 561dd1d · 561dd1d
2 parents 585ae1a + ecf4b33
commit 561dd1d
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/settings.json.template b/settings.json.template
@@ -311,6 +311,11 @@
  */
  "trustProxy": true,
 
+ /*
+ * When embedding the pads in an iframe set this to true.
+ */
+ "forceSameSiteNone": false,
+
  /*
  * Privacy: disable IP logging
  */

diff --git a/src/node/hooks/express/specialpages.js b/src/node/hooks/express/specialpages.js
@@ -38,6 +38,16 @@ exports.expressCreateServer = function (hook_name, args, cb) {
  });
  });
 
+ if (settings.forceSameSiteNone) {
+ var sameSite = "None";
+ } else {
+ if (settings.ssl) {
+ var sameSite = "Strict";
+ } else {
+ var sameSite = "Lax";
+ }
+ }
+
  //serve pad.html under /p
  args.app.get('/p/:pad', function(req, res, next)
  {
@@ -60,7 +70,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {
  * Please note that this will not be compatible with applications being
  * served over http and https at the same time.
  */
- sameSite: "None",
+ sameSite: sameSite,
  secure: (req.protocol === 'https'),
  }
  res.cookie('language', settings.padOptions.lang, cookieOptions);

diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js
@@ -122,6 +122,16 @@ exports.expressConfigure = function (hook_name, args, cb) {
  exports.secret = settings.sessionKey;
  }
 
+ if (settings.forceSameSiteNone) {
+ var sameSite = "None";
+ } else {
+ if (settings.ssl) {
+ var sameSite = "Strict";
+ } else {
+ var sameSite = "Lax";
+ }
+ }
+
  args.app.sessionStore = exports.sessionStore;
  args.app.use(sessionModule({
  secret: exports.secret,
@@ -136,7 +146,7 @@ exports.expressConfigure = function (hook_name, args, cb) {
  * for details. In response we set it based on if SSL certs are set in Etherpad. Note that if
  * You use Nginx or so for reverse proxy this may cause problems. Use Certificate pinning to remedy.
  */
- sameSite: "None",
+ sameSite: sameSite,
  /*
  * The automatic express-session mechanism for determining if the
  * application is being served over ssl is similar to the one used for

diff --git a/src/node/utils/Settings.js b/src/node/utils/Settings.js
@@ -245,6 +245,11 @@ exports.sessionKey = false;
  */
 exports.trustProxy = false;
 
+/*
+ * Force cookie SameSite=None, whether or not force SameSite=None configuration.
+ */
+exports.forceSameSiteNone = false;
+
 /*
  * This setting is used if you need authentication and/or
  * authorization. Note: /admin always requires authentication, and