From 52b704baeb00b43e393bb3157f8eb24a4a7955cb Mon Sep 17 00:00:00 2001 From: corubba Date: Tue, 31 May 2022 00:35:04 +0200 Subject: [PATCH] Set SameSite on cookies Setting this attribute on a cookie marks it as non-cross-site, so it is only send in requests to our own server. It is reasonable that no one else should need our session or csrf data. Setting it explicitly also prevents any issues from the ongoing change in browser behaviour [0] when it is unset. Seasurf supports the SameSite attribute starting with v0.3. As nothing obviously broke, I used the opportunity and updated all the way to the most recent version. The SeaSurf default for SameSite is already `Lax`, so it only needs to be set for the session cookie. [0] https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure --- configs/docker_config.py | 1 + powerdnsadmin/default_config.py | 1 + requirements.txt | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configs/docker_config.py b/configs/docker_config.py index 2cc6310..7285252 100644 --- a/configs/docker_config.py +++ b/configs/docker_config.py @@ -2,6 +2,7 @@ BIND_ADDRESS = '0.0.0.0' PORT = 80 SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db' +SESSION_COOKIE_SAMESITE = 'Lax' CSRF_COOKIE_HTTPONLY = True legal_envvars = ( diff --git a/powerdnsadmin/default_config.py b/powerdnsadmin/default_config.py index 8737680..93b97b7 100644 --- a/powerdnsadmin/default_config.py +++ b/powerdnsadmin/default_config.py @@ -10,6 +10,7 @@ PORT = 9191 HSTS_ENABLED = False OFFLINE_MODE = False FILESYSTEM_SESSIONS_ENABLED = False +SESSION_COOKIE_SAMESITE = 'Lax' CSRF_COOKIE_HTTPONLY = True ### DATABASE CONFIG diff --git a/requirements.txt b/requirements.txt index ce24450..ec2ecbb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,7 +18,7 @@ pytz==2020.1 cssmin==0.2.0 jsmin==3.0.0 Authlib==0.15 -Flask-SeaSurf==0.2.2 +Flask-SeaSurf==1.1.1 bravado-core==5.17.0 lima==0.5 pytest==6.1.1