From 919ee10a81558b83a3cf494504a18bf4a896bf73 Mon Sep 17 00:00:00 2001 From: MickaelK Date: Fri, 6 Sep 2024 00:52:26 +1000 Subject: [PATCH] fix (iframe): iframe cookie block rollout --- Jenkinsfile | 6 +++--- server/ctrl/session.go | 49 +++++++++++++++++++++++------------------- 2 files changed, 30 insertions(+), 25 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index afb9769f..775d55c4 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -27,7 +27,7 @@ pipeline { sh "npm install" sh "make build_frontend" } - docker.image("golang:1.21-bookworm").inside("--user=root") { + docker.image("golang:1.23-bookworm").inside("--user=root") { // prepare: todo - statically compile plg_image_c so we don't have to do this to pass the e2e tests sh "sed -i 's|plg_image_c|plg_image_golang|' server/plugin/index.go" // build @@ -42,7 +42,7 @@ pipeline { steps { script { // smoke test - docker.image("golang:1.21-bookworm").inside("--user=root") { + docker.image("golang:1.23-bookworm").inside("--user=root") { sh 'timeout 5 ./dist/filestash > access.log || code=$?; if [ $code -ne 124 ]; then exit $code; fi' sh "cat access.log" sh "cat access.log | grep -q \"\\[http\\] starting\"" @@ -63,7 +63,7 @@ pipeline { // sh "cd public && npm run test" } // test backend - docker.image("golang:1.21-bookworm").inside("--user=root") { + docker.image("golang:1.23-bookworm").inside("--user=root") { sh "cp ./test/assets/* /tmp/" sh "go generate ./test/unit_go/..." sh "go get ./..." diff --git a/server/ctrl/session.go b/server/ctrl/session.go index 8454968b..84099510 100644 --- a/server/ctrl/session.go +++ b/server/ctrl/session.go @@ -120,6 +120,7 @@ func SessionAuthenticate(ctx *App, res http.ResponseWriter, req *http.Request) { if Config.Get("features.protection.iframe").String() != "" { c.Secure = true c.SameSite = http.SameSiteNoneMode + c.Partitioned = true if f := req.Header.Get("Referer"); f != "" && strings.HasPrefix(f, "https://") == false { Log.Warning("you are trying to access Filestash from a non secure origin ('%s') and with iframe enabled. Either use SSL or disable iframe from the admin console.", f) } @@ -162,10 +163,11 @@ func SessionLogout(ctx *App, res http.ResponseWriter, req *http.Request) { break } http.SetCookie(res, &http.Cookie{ - Name: CookieName(index), - Value: "", - MaxAge: -1, - Path: COOKIE_PATH, + Name: CookieName(index), + Value: "", + MaxAge: -1, + Path: COOKIE_PATH, + Partitioned: true, }) index++ } @@ -288,12 +290,13 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request) if req.Method == "GET" && _get.Get("action") == "redirect" { if label := _get.Get("label"); label != "" { http.SetCookie(res, &http.Cookie{ - Name: SSOCookieName, - Value: label + "::" + _get.Get("state"), - MaxAge: 60 * 10, - Path: COOKIE_PATH, - HttpOnly: true, - SameSite: http.SameSiteLaxMode, + Name: SSOCookieName, + Value: label + "::" + _get.Get("state"), + MaxAge: 60 * 10, + Path: COOKIE_PATH, + HttpOnly: true, + SameSite: http.SameSiteLaxMode, + Partitioned: true, }) } if err := plugin.EntryPoint(idpParams, req, res); err != nil { @@ -437,20 +440,22 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request) return } http.SetCookie(res, &http.Cookie{ - Name: COOKIE_NAME_AUTH, - Value: obfuscate, - MaxAge: 60 * Config.Get("general.cookie_timeout").Int(), - Path: COOKIE_PATH, - HttpOnly: true, - SameSite: http.SameSiteStrictMode, + Name: COOKIE_NAME_AUTH, + Value: obfuscate, + MaxAge: 60 * Config.Get("general.cookie_timeout").Int(), + Path: COOKIE_PATH, + HttpOnly: true, + SameSite: http.SameSiteStrictMode, + Partitioned: true, }) http.SetCookie(res, &http.Cookie{ - Name: SSOCookieName, - Value: "", - MaxAge: -1, - Path: COOKIE_PATH, - HttpOnly: true, - SameSite: http.SameSiteLaxMode, + Name: SSOCookieName, + Value: "", + MaxAge: -1, + Path: COOKIE_PATH, + HttpOnly: true, + SameSite: http.SameSiteLaxMode, + Partitioned: true, }) redirectURI := templateBind["next"] if redirectURI == "" {