From 73a3f78558cf1fa122bb38e5de133a57a9fba758 Mon Sep 17 00:00:00 2001
From: Jonathan Chappelow <chappjc@protonmail.com>
Date: Thu, 14 May 2020 17:36:12 -0500
Subject: [PATCH] webserver: strict SameSite auth cookie attribute

---
 client/webserver/api.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/client/webserver/api.go b/client/webserver/api.go
index 73c47f57f8..deeabe7926 100644
--- a/client/webserver/api.go
+++ b/client/webserver/api.go
@@ -255,8 +255,13 @@ func (s *WebServer) actuallyLogin(w http.ResponseWriter, r *http.Request, login
 		cval := s.auth()
 		http.SetCookie(w, &http.Cookie{
 			Name:  authCK,
-			Path:  "/",
 			Value: cval,
+			Path:  "/",
+			// The client should only send the cookie with first-party requests.
+			// Cross-site requests should not include the auth cookie.
+			// https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+			SameSite: http.SameSiteStrictMode,
+			// Secure: false, // while false we require SameSite set
 		})
 	}
 	writeJSON(w, struct {