Merge pull request #428 from dalcde/cookies

public/js/index.js

@@ -1594,7 +1594,8 @@ function toggleNightMode () {
     store.set('nightMode', !isActive)
   } else {
     Cookies.set('nightMode', !isActive, {
-      expires: 365
+      expires: 365,
+      sameSite: 'strict'
     })
   }
 }

public/js/lib/common/login.js

@@ -19,11 +19,13 @@ export function resetCheckAuth () {
 
 export function setLoginState (bool, id) {
   Cookies.set('loginstate', bool, {
-    expires: 365
+    expires: 365,
+    sameSite: 'strict'
   })
   if (id) {
     Cookies.set('userid', id, {
-      expires: 365
+      expires: 365,
+      sameSite: 'strict'
     })
   } else {
     Cookies.remove('userid')

public/js/lib/editor/index.js

@@ -344,12 +344,14 @@ export default class Editor {
     const setType = () => {
       if (this.editor.getOption('indentWithTabs')) {
         Cookies.set('indent_type', 'tab', {
-          expires: 365
+          expires: 365,
+          sameSite: 'strict'
         })
         type.text('Tab Size:')
       } else {
         Cookies.set('indent_type', 'space', {
-          expires: 365
+          expires: 365,
+          sameSite: 'strict'
         })
         type.text('Spaces:')
       }
@@ -360,11 +362,13 @@ export default class Editor {
       var unit = this.editor.getOption('indentUnit')
       if (this.editor.getOption('indentWithTabs')) {
         Cookies.set('tab_size', unit, {
-          expires: 365
+          expires: 365,
+          sameSite: 'strict'
         })
       } else {
         Cookies.set('space_units', unit, {
-          expires: 365
+          expires: 365,
+          sameSite: 'strict'
         })
       }
       widthLabel.text(unit)
@@ -432,7 +436,8 @@ export default class Editor {
     const setKeymapLabel = () => {
       var keymap = this.editor.getOption('keyMap')
       Cookies.set('keymap', keymap, {
-        expires: 365
+        expires: 365,
+        sameSite: 'strict'
       })
       label.text(keymap)
       this.restoreOverrideEditorKeymap()
@@ -480,7 +485,8 @@ export default class Editor {
       }
       this.editor.setOption('theme', theme)
       Cookies.set('theme', theme, {
-        expires: 365
+        expires: 365,
+        sameSite: 'strict'
       })
 
       checkTheme()
@@ -525,7 +531,8 @@ export default class Editor {
         this.editor.setOption('mode', mode)
       }
       Cookies.set('spellcheck', mode === 'spell-checker', {
-        expires: 365
+        expires: 365,
+        sameSite: 'strict'
       })
 
       checkSpellcheck()
@@ -570,7 +577,8 @@ export default class Editor {
     )
     if (overrideBrowserKeymap.is(':checked')) {
       Cookies.set('preferences-override-browser-keymap', true, {
-        expires: 365
+        expires: 365,
+        sameSite: 'strict'
       })
       this.restoreOverrideEditorKeymap()
     } else {

public/js/locale.js

@@ -25,7 +25,8 @@ $('select.ui-locale option[value="' + lang + '"]').attr('selected', 'selected')
 
 locale.change(function () {
   Cookies.set('locale', $(this).val(), {
-    expires: 365
+    expires: 365,
+    sameSite: 'strict'
   })
   window.location.reload()
 })

src/lib/app.ts

@@ -63,8 +63,15 @@ if (config.useSSL) {
   server = http.createServer(app)
 }
 
+// if we manage to provide HTTPS domains, but don't provide TLS ourselves
+// obviously a proxy is involded. In order to make sure express is aware of
+// this, we provide the option to trust proxies here.
+if (!config.useSSL && config.protocolUseSSL) {
+  app.set('trust proxy', 1)
+}
+
 // socket io
-const io = SocketIO(server)
+const io = SocketIO(server, { cookie: false })
 io.engine.ws = new WebSocket.Server({
   noServer: true,
   perMessageDeflate: false
@@ -181,7 +188,9 @@ app.use(session({
   saveUninitialized: true, // always create session to ensure the origin
   rolling: true, // reset maxAge on every response
   cookie: {
-    maxAge: config.sessionLife
+    maxAge: config.sessionLife,
+    sameSite: 'lax',
+    secure: config.useSSL || config.protocolUseSSL || false
   },
   store: sessionStore
 }))