Set 'SameSite=Strict' for all cookies (#2019)

Marcin Maciaszczyk · web-flow · commit cbf6fd0ac63e · 2020-02-25T17:07:58.000+01:00
diff --git a/src/app/core/services/auth/auth.service.ts b/src/app/core/services/auth/auth.service.ts
@@ -24,11 +24,11 @@ export class Auth {
       if (this.compareNonceWithToken(token, nonce)) {
         // remove URL fragment with token, so that users can't accidentally copy&paste it and send it to others
         this.removeFragment();
-        this._cookieService.set(Auth.Cookie.Token, token, 1, '/', null, true);
+        this._cookieService.set(Auth.Cookie.Token, token, 1, '/', null, true, 'Strict');
         // localhost is only served via http, though secure cookie is not possible
         // following line will only work when domain is localhost
-        this._cookieService.set(Auth.Cookie.Token, token, 1, '/', 'localhost');
-        this._cookieService.set(Auth.Cookie.Token, token, 1, '/', '127.0.0.1');
+        this._cookieService.set(Auth.Cookie.Token, token, 1, '/', 'localhost', false, 'Strict');
+        this._cookieService.set(Auth.Cookie.Token, token, 1, '/', '127.0.0.1', false, 'Strict');
       }
       this._previousRouteService.loadRouting();
     }
@@ -89,7 +89,7 @@ export class Auth {
   }
 
   login(): void {
-    this._cookieService.set(Auth.Cookie.Autoredirect, 'true', 1, '/');
+    this._cookieService.set(Auth.Cookie.Autoredirect, 'true', 1, '/', null, false, 'Strict');
   }
 
   logout(): void {
diff --git a/src/app/pages/frontpage/frontpage.component.ts b/src/app/pages/frontpage/frontpage.component.ts
@@ -28,11 +28,11 @@ export class FrontpageComponent implements OnInit {
     const nonceRegExp = /[\?&#]nonce=([^&]+)/;
     const nonceStr = nonceRegExp.exec(this._auth.getOIDCProviderURL());
     if (!!nonceStr && nonceStr.length >= 2 && !!nonceStr[1]) {
-      this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', null, true);
+      this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', null, true, 'Strict');
       // localhost is only served via http, though secure cookie is not possible
       // following line will only work when domain is localhost
-      this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', 'localhost');
-      this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', '127.0.0.1');
+      this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', 'localhost', false, 'Strict');
+      this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', '127.0.0.1', false, 'Strict');
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,11 @@ export class Auth {`
`24`	`24`	`if (this.compareNonceWithToken(token, nonce)) {`
`25`	`25`	`// remove URL fragment with token, so that users can't accidentally copy&paste it and send it to others`
`26`	`26`	`this.removeFragment();`
`27`		`- this._cookieService.set(Auth.Cookie.Token, token, 1, '/', null, true);`
	`27`	`+ this._cookieService.set(Auth.Cookie.Token, token, 1, '/', null, true, 'Strict');`
`28`	`28`	`// localhost is only served via http, though secure cookie is not possible`
`29`	`29`	`// following line will only work when domain is localhost`
`30`		`- this._cookieService.set(Auth.Cookie.Token, token, 1, '/', 'localhost');`
`31`		`- this._cookieService.set(Auth.Cookie.Token, token, 1, '/', '127.0.0.1');`
	`30`	`+ this._cookieService.set(Auth.Cookie.Token, token, 1, '/', 'localhost', false, 'Strict');`
	`31`	`+ this._cookieService.set(Auth.Cookie.Token, token, 1, '/', '127.0.0.1', false, 'Strict');`
`32`	`32`	`}`
`33`	`33`	`this._previousRouteService.loadRouting();`
`34`	`34`	`}`
`@@ -89,7 +89,7 @@ export class Auth {`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`login(): void {`
`92`		`- this._cookieService.set(Auth.Cookie.Autoredirect, 'true', 1, '/');`
	`92`	`+ this._cookieService.set(Auth.Cookie.Autoredirect, 'true', 1, '/', null, false, 'Strict');`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`logout(): void {`
Original file line number	Diff line number	Diff line change
`@@ -28,11 +28,11 @@ export class FrontpageComponent implements OnInit {`
`28`	`28`	`const nonceRegExp = /[\?&#]nonce=([^&]+)/;`
`29`	`29`	`const nonceStr = nonceRegExp.exec(this._auth.getOIDCProviderURL());`
`30`	`30`	`if (!!nonceStr && nonceStr.length >= 2 && !!nonceStr[1]) {`
`31`		`- this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', null, true);`
	`31`	`+ this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', null, true, 'Strict');`
`32`	`32`	`// localhost is only served via http, though secure cookie is not possible`
`33`	`33`	`// following line will only work when domain is localhost`
`34`		`- this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', 'localhost');`
`35`		`- this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', '127.0.0.1');`
	`34`	`+ this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', 'localhost', false, 'Strict');`
	`35`	`+ this._cookieService.set(Auth.Cookie.Nonce, nonceStr[1], null, '/', '127.0.0.1', false, 'Strict');`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`