Merge pull request #9772 from nextcloud/feature/8123/same_site_cookie_config_php

Move samesite cookie opt-out to config.php

2 files changed, 24 insertions, 5 deletions

diff --git a/config/config.sample.php b/config/config.sample.php
index 40d83cea372..a1445d77095 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -1595,4 +1595,16 @@ $CONFIG = array(
  */
 'gs.federation' => 'internal',
 
+/**
+ * List of incompatible user agents opted out from Same Site Cookie Protection.
+ * Some user agents are notorious and don't really properly follow HTTP
+ * specifications. For those, have an opt-out.
+ *
+ * WARNING: only use this if you know what you are doing
+ */
+'csrf.optout' => array(
+	'/^WebDAVFS/', // OS X Finder
+	'/^Microsoft-WebDAV-MiniRedir/', // Windows webdav drive
+),
+
 );
diff --git a/lib/base.php b/lib/base.php
index 57a620db0ec..5cc33e233f9 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -523,11 +523,18 @@ class OC {
 		// specifications. For those, have an automated opt-out. Since the protection
 		// for remote.php is applied in base.php as starting point we need to opt out
 		// here.
-		$incompatibleUserAgents = [
-			// OS X Finder
-			'/^WebDAVFS/',
-			'/^Microsoft-WebDAV-MiniRedir/',
-		];
+		$incompatibleUserAgents = \OC::$server->getConfig()->getSystemValue('csrf.optout');
+
+		// Fallback, if csrf.optout is unset
+		if (!is_array($incompatibleUserAgents)) {
+			$incompatibleUserAgents = [
+				// OS X Finder
+				'/^WebDAVFS/',
+				// Windows webdav drive
+				'/^Microsoft-WebDAV-MiniRedir/',
+			];
+		}
+
 		if($request->isUserAgent($incompatibleUserAgents)) {
 			return;
 		}