fix (iframe): iframe cookie block rollout

Jenkinsfile

@@ -27,7 +27,7 @@ pipeline {
                         sh "npm install"
                         sh "make build_frontend"
                     }
-                    docker.image("golang:1.21-bookworm").inside("--user=root") {
+                    docker.image("golang:1.23-bookworm").inside("--user=root") {
                         // prepare: todo - statically compile plg_image_c so we don't have to do this to pass the e2e tests
                         sh "sed -i 's|plg_image_c|plg_image_golang|' server/plugin/index.go"
                         // build
@@ -42,7 +42,7 @@ pipeline {
             steps {
                 script {
                     // smoke test
-                    docker.image("golang:1.21-bookworm").inside("--user=root") {
+                    docker.image("golang:1.23-bookworm").inside("--user=root") {
                         sh 'timeout 5 ./dist/filestash > access.log || code=$?; if [ $code -ne 124 ]; then exit $code; fi'
                         sh "cat access.log"
                         sh "cat access.log | grep -q \"\\[http\\] starting\""
@@ -63,7 +63,7 @@ pipeline {
                         // sh "cd public && npm run test"
                     }
                     // test backend
-                    docker.image("golang:1.21-bookworm").inside("--user=root") {
+                    docker.image("golang:1.23-bookworm").inside("--user=root") {
                         sh "cp ./test/assets/* /tmp/"
                         sh "go generate ./test/unit_go/..."
                         sh "go get ./..."

server/ctrl/session.go

@@ -120,6 +120,7 @@ func SessionAuthenticate(ctx *App, res http.ResponseWriter, req *http.Request) {
 		if Config.Get("features.protection.iframe").String() != "" {
 			c.Secure = true
 			c.SameSite = http.SameSiteNoneMode
+			c.Partitioned = true
 			if f := req.Header.Get("Referer"); f != "" && strings.HasPrefix(f, "https://") == false {
 				Log.Warning("you are trying to access Filestash from a non secure origin ('%s') and with iframe enabled. Either use SSL or disable iframe from the admin console.", f)
 			}
@@ -166,6 +167,7 @@ func SessionLogout(ctx *App, res http.ResponseWriter, req *http.Request) {
 			Value:       "",
 			MaxAge:      -1,
 			Path:        COOKIE_PATH,
+			Partitioned: true,
 		})
 		index++
 	}
@@ -294,6 +296,7 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
 				Path:        COOKIE_PATH,
 				HttpOnly:    true,
 				SameSite:    http.SameSiteLaxMode,
+				Partitioned: true,
 			})
 		}
 		if err := plugin.EntryPoint(idpParams, req, res); err != nil {
@@ -443,6 +446,7 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
 		Path:        COOKIE_PATH,
 		HttpOnly:    true,
 		SameSite:    http.SameSiteStrictMode,
+		Partitioned: true,
 	})
 	http.SetCookie(res, &http.Cookie{
 		Name:        SSOCookieName,
@@ -451,6 +455,7 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
 		Path:        COOKIE_PATH,
 		HttpOnly:    true,
 		SameSite:    http.SameSiteLaxMode,
+		Partitioned: true,
 	})
 	redirectURI := templateBind["next"]
 	if redirectURI == "" {