From cd47380b85b122328cc24d0cd6cf5cf0b4aeff92 Mon Sep 17 00:00:00 2001 From: Thomas Piccirello Date: Tue, 20 Nov 2018 02:56:30 -0500 Subject: [PATCH] Add SameSite attribute to WebUI session cookie This attribute prevents the cookie from being submitted on any cross-site request, strongly limiting CSRF. Closes #9877. --- src/webui/webapplication.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp index 602973b25..7c8d96b13 100644 --- a/src/webui/webapplication.cpp +++ b/src/webui/webapplication.cpp @@ -656,7 +656,10 @@ void WebApplication::sessionStart() QNetworkCookie cookie(C_SID, m_currentSession->id().toUtf8()); cookie.setHttpOnly(true); cookie.setPath(QLatin1String("/")); - header(Http::HEADER_SET_COOKIE, cookie.toRawForm()); + QByteArray cookieRawForm = cookie.toRawForm(); + if (m_isCSRFProtectionEnabled) + cookieRawForm.append("; SameSite=Strict"); + header(Http::HEADER_SET_COOKIE, cookieRawForm); } void WebApplication::sessionEnd()