fix: make cookies more secure (merge pull request #150 from davidovsk…

…i/cookies)

Cookies

engines/invidious/video.php

@@ -53,7 +53,7 @@ public static function print_results($results, $opts) {
                 $thumbnail = preg_replace('/(?:https?:\/\/)?(?:www\.)?youtube\.com\/watch\?v=([^\s]+)/', 'https://i.ytimg.com/vi/$1/maxresdefault.jpg', $url) ?? '';
 
                 echo "<div class=\"text-result-wrapper\">";
-                echo "<a href=\"$url\">";
+                echo "<a rel=\"noreferer noopener\" href=\"$url\">";
                 echo "$base_url";
                 echo "<h2>$title</h2>";
                 echo "<img class=\"video-img\" src=\"image_proxy.php?url=$thumbnail\">";

engines/qwant/image.php

@@ -44,7 +44,7 @@ public static function print_results($results, $opts) {
                     $url = $result["url"];
                     $url = check_for_privacy_frontend($url, $opts);
 
-                    echo "<a title=\"$alt\" href=\"$url\" target=\"_blank\">";
+                    echo "<a title=\"$alt\" href=\"$url\" rel=\"noreferer noopener\" target=\"_blank\">";
                     echo "<img src=\"image_proxy.php?url=$thumbnail\">";
                     echo "</a>";
                 }

engines/text/text.php

@@ -154,7 +154,7 @@ public static function print_results($results, $opts)  {
                 echo $response;
                 if ($source) {
                     $source = check_for_privacy_frontend($source, $opts);
-                    echo "<a href=\"$source\" target=\"_blank\">$source</a>";
+                    echo "<a href=\"$source\" rel=\"noreferer noopener\" target=\"_blank\">$source</a>";
                 }
                 echo "</p>";
             }
@@ -175,7 +175,7 @@ public static function print_results($results, $opts)  {
                 $description = $result["description"];
 
                 echo "<div class=\"text-result-wrapper\">";
-                echo "<a href=\"$url\">";
+                echo "<a rel=\"noreferer noopener\"  href=\"$url\">";
                 echo "$base_url";
                 echo "<h2>$title</h2>";
                 echo "</a>";

settings.php

@@ -8,6 +8,9 @@
                 foreach($cookies as $cookie) {
                     $parts = explode("=", $cookie);
                     $name = trim($parts[0]);
+
+                    $domain = parse_url($_SERVER['SERVER_NAME']);
+
                     setcookie($name, "", time() - 1000);
                 }
             }
@@ -16,7 +19,14 @@
         if (isset($_REQUEST["save"])) {
             foreach($_POST as $key=>$value) {
                 if (!empty($value)) {
-                    setcookie($key, $value, time() + (86400 * 90), '/');
+                    setcookie($key, $value, [
+                        "expires" => time() + (86400 * 90),
+                        "path" => "/",
+                        "domain" => "$domain",
+                        "secure" => true,       // Ensure cookies are only sent over HTTPS
+                        "httponly" => true,     // Prevent client-side JavaScript access to cookies
+                        "samesite" => "Strict"  // Strict SameSite policy for better protection against CSRF attacks
+                    ]);
                 } else {
                     setcookie($key, "", time() - 1000);
                 }