From 10096bbf2b6c18104cb63b5486681d00eaa5fb6c Mon Sep 17 00:00:00 2001 From: Hakurei Reimu Date: Mon, 15 Apr 2019 12:31:37 +0800 Subject: [PATCH 1/3] add extra_cookie_attrs option to config Allow instance admins to set their own SameSite cookie policy from the config. Default value in the config is `Lax`. --- config/config.exs | 5 ++++- docs/config.md | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/config/config.exs b/config/config.exs index eb74e7483..750e593e3 100644 --- a/config/config.exs +++ b/config/config.exs @@ -154,7 +154,10 @@ signing_salt: "CqaoopA2", render_errors: [view: Pleroma.Web.ErrorView, accepts: ~w(json)], pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2], - secure_cookie_flag: true + secure_cookie_flag: true, + extra_cookie_attrs: [ + "SameSite=Lax" + ] # Configures Elixir's Logger config :logger, :console, diff --git a/docs/config.md b/docs/config.md index e286104df..117fda960 100644 --- a/docs/config.md +++ b/docs/config.md @@ -221,6 +221,8 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i - `scheme` - e.g `http`, `https` - `port` - `path` +* `extra_cookie_attrs` - a list of `Key=Value` strings to be added as non-standard cookie attributes. Defaults to `["SameSite=Lax"]`. See the [SameSite article](https://www.owasp.org/index.php/SameSite) on OWASP for more info. + **Important note**: if you modify anything inside these lists, default `config.exs` values will be overwritten, which may result in breakage, to make sure this does not happen please copy the default value for the list from `config.exs` and modify/add only what you need @@ -442,6 +444,8 @@ The server should also be started with `OAUTH_CONSUMER_STRATEGIES="..." mix phx. Note: each strategy requires separate setup (on external provider side and Pleroma side). Below are the guidelines on setting up most popular strategies. +Note: make sure that `"SameSite=Lax"` is set in `extra_cookie_attrs` when you have this feature enabled. OAuth consumer mode will not work with `"SameSite=Strict"` + * For Twitter, [register an app](https://developer.twitter.com/en/apps), configure callback URL to https:///oauth/twitter/callback * For Facebook, [register an app](https://developers.facebook.com/apps), configure callback URL to https:///oauth/facebook/callback, enable Facebook Login service at https://developers.facebook.com/apps//fb-login/settings/ From 6e26ac10a36354c2a08ccddd0fd2df658aba5e4b Mon Sep 17 00:00:00 2001 From: Hakurei Reimu Date: Mon, 15 Apr 2019 12:33:46 +0800 Subject: [PATCH 2/3] make Pleroma.Endpoint use extra_cookie_attrs in config --- lib/pleroma/web/endpoint.ex | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex index 1633477c3..7f939991d 100644 --- a/lib/pleroma/web/endpoint.ex +++ b/lib/pleroma/web/endpoint.ex @@ -58,14 +58,9 @@ defmodule Pleroma.Web.Endpoint do do: "__Host-pleroma_key", else: "pleroma_key" - same_site = - if Pleroma.Config.oauth_consumer_enabled?() do - # Note: "SameSite=Strict" prevents sign in with external OAuth provider - # (there would be no cookies during callback request from OAuth provider) - "SameSite=Lax" - else - "SameSite=Strict" - end + extra = + Pleroma.Config.get([__MODULE__, :extra_cookie_attrs]) + |> Enum.join(";") # The session will be stored in the cookie and signed, # this means its contents can be read but not tampered with. @@ -77,7 +72,7 @@ defmodule Pleroma.Web.Endpoint do signing_salt: {Pleroma.Config, :get, [[__MODULE__, :signing_salt], "CqaoopA2"]}, http_only: true, secure: secure_cookies, - extra: same_site + extra: extra ) # Note: the plug and its configuration is compile-time this can't be upstreamed yet From 2472efb4e9aafe68d1ab3eef12ea3c3ad3859029 Mon Sep 17 00:00:00 2001 From: Hakurei Reimu Date: Tue, 16 Apr 2019 22:24:24 +0800 Subject: [PATCH 3/3] Add extra_cookie_attrs to changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebf21851b..1d2ad3320 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Federation: Expand the audience of delete activities to all recipients of the deleted object - Federation: Removed `inReplyToStatusId` from objects - Configuration: Dedupe enabled by default +- Configuration: Added `extra_cookie_attrs` for setting non-standard cookie attributes. Defaults to ["SameSite=Lax"] so that remote follows work. - Pleroma API: Support for emoji tags in `/api/pleroma/emoji` resulting in a breaking API change - Mastodon API: Support for `exclude_types`, `limit` and `min_id` in `/api/v1/notifications` - Mastodon API: Add `languages` and `registrations` to `/api/v1/instance`