diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2016-11-23 12:53:44 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2016-11-23 12:53:44 +0100 |
| commit | a05b8b79534fcd46341ae7bfd28cb34e9ff88ced (patch) | |
| tree | edd0a9c995ae5948fa202f367fdd63912ca1612f /lib/base.php | |
| parent | f692ea34f1f1ce128ad40e3bf248c6342260c6c1 (diff) | |
| download | nextcloud-server-a05b8b79534fcd46341ae7bfd28cb34e9ff88ced.tar.gz nextcloud-server-a05b8b79534fcd46341ae7bfd28cb34e9ff88ced.zip | |
Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.
See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.
Fixes https://github.com/nextcloud/server/issues/1412
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib/base.php')
| -rw-r--r-- | lib/base.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/base.php b/lib/base.php index d6c6e17eff9..2f5517f4614 100644 --- a/lib/base.php +++ b/lib/base.php @@ -493,10 +493,18 @@ class OC { 'lax', 'strict', ]; + + // Append __Host to the cookie if it meets the requirements + $cookiePrefix = ''; + if($cookieParams['secure'] === true && $cookieParams['path'] === '/') { + $cookiePrefix = '__Host-'; + } + foreach($policies as $policy) { header( sprintf( - 'Set-Cookie: nc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s', + 'Set-Cookie: %snc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s', + $cookiePrefix, $policy, $cookieParams['path'], $policy |