Merge pull request #476 from nextcloud/port-same-site-cookies

[master] Port Same-Site Cookies to master

2 files changed, 9 insertions, 0 deletions

diff --git a/lib/private/legacy/eventsource.php b/lib/private/legacy/eventsource.php
index 51040e7be7d..70e9847d237 100644
--- a/lib/private/legacy/eventsource.php
+++ b/lib/private/legacy/eventsource.php
@@ -76,6 +76,10 @@ class OC_EventSource implements \OCP\IEventSource {
 		} else {
 			header("Content-Type: text/event-stream");
 		}
+		if(!\OC::$server->getRequest()->passesStrictCookieCheck()) {
+			header('Location: '.\OC::$WEBROOT);
+			exit();
+		}
 		if (!(\OC::$server->getRequest()->passesCSRFCheck())) {
 			$this->send('error', 'Possible CSRF attack. Connection will be closed.');
 			$this->close();
diff --git a/lib/private/legacy/json.php b/lib/private/legacy/json.php
index 1dde63602b1..557e1d77012 100644
--- a/lib/private/legacy/json.php
+++ b/lib/private/legacy/json.php
@@ -79,6 +79,11 @@ class OC_JSON{
 	 * @deprecated Use annotation based CSRF checks from the AppFramework instead
 	 */
 	public static function callCheck() {
+		if(!\OC::$server->getRequest()->passesStrictCookieCheck()) {
+			header('Location: '.\OC::$WEBROOT);
+			exit();
+		}
+
 		if( !(\OC::$server->getRequest()->passesCSRFCheck())) {
 			$l = \OC::$server->getL10N('lib');
 			self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.'), 'error' => 'token_expired' )));