fix (iframe): iframe cookie block rollout

2025-12-06 08:22:24 +01:00 · 2024-09-06 00:52:26 +10:00 · 2024-09-06 00:52:26 +10:00 · 919ee10a81
commit 919ee10a81
parent a0540eecae
2 changed files with 30 additions and 25 deletions
--- a/6
+++ b/6
@ -27,7 +27,7 @@ pipeline {
                        sh "npm install"
                        sh "make build_frontend"
                    }
-                    docker.image("golang:1.21-bookworm").inside("--user=root") {
+                    docker.image("golang:1.23-bookworm").inside("--user=root") {
                        // prepare: todo - statically compile plg_image_c so we don't have to do this to pass the e2e tests
                        sh "sed -i 's|plg_image_c|plg_image_golang|' server/plugin/index.go"
                        // build
@ -42,7 +42,7 @@ pipeline {
            steps {
                script {
                    // smoke test
-                    docker.image("golang:1.21-bookworm").inside("--user=root") {
+                    docker.image("golang:1.23-bookworm").inside("--user=root") {
                        sh 'timeout 5 ./dist/filestash > access.log || code=$?; if [ $code -ne 124 ]; then exit $code; fi'
                        sh "cat access.log"
                        sh "cat access.log | grep -q \"\\[http\\] starting\""
@ -63,7 +63,7 @@ pipeline {
                        // sh "cd public && npm run test"
                    }
                    // test backend
-                    docker.image("golang:1.21-bookworm").inside("--user=root") {
+                    docker.image("golang:1.23-bookworm").inside("--user=root") {
                        sh "cp ./test/assets/* /tmp/"
                        sh "go generate ./test/unit_go/..."
                        sh "go get ./..."
--- a/server/ctrl/session.go
+++ b/server/ctrl/session.go
@ -120,6 +120,7 @@ func SessionAuthenticate(ctx *App, res http.ResponseWriter, req *http.Request) {
 		if Config.Get("features.protection.iframe").String() != "" {
 			c.Secure = true
 			c.SameSite = http.SameSiteNoneMode
+			c.Partitioned = true
 			if f := req.Header.Get("Referer"); f != "" && strings.HasPrefix(f, "https://") == false {
 				Log.Warning("you are trying to access Filestash from a non secure origin ('%s') and with iframe enabled. Either use SSL or disable iframe from the admin console.", f)
 			}
@ -166,6 +167,7 @@ func SessionLogout(ctx *App, res http.ResponseWriter, req *http.Request) {
 			Value:       "",
 			MaxAge:      -1,
 			Path:        COOKIE_PATH,
+			Partitioned: true,
 		})
 		index++
 	}
@ -294,6 +296,7 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
 				Path:        COOKIE_PATH,
 				HttpOnly:    true,
 				SameSite:    http.SameSiteLaxMode,
+				Partitioned: true,
 			})
 		}
 		if err := plugin.EntryPoint(idpParams, req, res); err != nil {
@ -443,6 +446,7 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
 		Path:        COOKIE_PATH,
 		HttpOnly:    true,
 		SameSite:    http.SameSiteStrictMode,
+		Partitioned: true,
 	})
 	http.SetCookie(res, &http.Cookie{
 		Name:        SSOCookieName,
@ -451,6 +455,7 @@ func SessionAuthMiddleware(ctx *App, res http.ResponseWriter, req *http.Request)
 		Path:        COOKIE_PATH,
 		HttpOnly:    true,
 		SameSite:    http.SameSiteLaxMode,
+		Partitioned: true,
 	})
 	redirectURI := templateBind["next"]
 	if redirectURI == "" {