aboutsummaryrefslogtreecommitdiffstats
path: root/lib/base.php
diff options
context:
space:
mode:
authorLukas Reschke <lukas@statuscode.ch>2016-11-23 12:53:44 +0100
committerLukas Reschke <lukas@statuscode.ch>2016-11-23 12:53:44 +0100
commita05b8b79534fcd46341ae7bfd28cb34e9ff88ced (patch)
treeedd0a9c995ae5948fa202f367fdd63912ca1612f /lib/base.php
parentf692ea34f1f1ce128ad40e3bf248c6342260c6c1 (diff)
downloadnextcloud-server-a05b8b79534fcd46341ae7bfd28cb34e9ff88ced.tar.gz
nextcloud-server-a05b8b79534fcd46341ae7bfd28cb34e9ff88ced.zip
Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening. See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications. Fixes https://github.com/nextcloud/server/issues/1412 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib/base.php')
-rw-r--r--lib/base.php10
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/base.php b/lib/base.php
index d6c6e17eff9..2f5517f4614 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -493,10 +493,18 @@ class OC {
'lax',
'strict',
];
+
+ // Append __Host to the cookie if it meets the requirements
+ $cookiePrefix = '';
+ if($cookieParams['secure'] === true && $cookieParams['path'] === '/') {
+ $cookiePrefix = '__Host-';
+ }
+
foreach($policies as $policy) {
header(
sprintf(
- 'Set-Cookie: nc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s',
+ 'Set-Cookie: %snc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s',
+ $cookiePrefix,
$policy,
$cookieParams['path'],
$policy