From 9cc112aa4ecce51030bdf6c4472212eb64444faa Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <thomas@piccirello.com>
Date: Tue, 20 Nov 2018 02:56:30 -0500
Subject: [PATCH] Add SameSite attribute to WebUI session cookie

This attribute prevents the cookie from being submitted on any cross-site request, strongly limiting CSRF.

Closes #9877.
---
 src/webui/webapplication.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index ecc57a294..bd5cb4b88 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -657,7 +657,10 @@ void WebApplication::sessionStart()
     QNetworkCookie cookie(C_SID, m_currentSession->id().toUtf8());
     cookie.setHttpOnly(true);
     cookie.setPath(QLatin1String("/"));
-    header(Http::HEADER_SET_COOKIE, cookie.toRawForm());
+    QByteArray cookieRawForm = cookie.toRawForm();
+    if (m_isCSRFProtectionEnabled)
+        cookieRawForm.append("; SameSite=Strict");
+    header(Http::HEADER_SET_COOKIE, cookieRawForm);
 }
 
 void WebApplication::sessionEnd()