Merge branch 'add-secure-and-samesite-cookie-flags' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: 530561a091f6f82e27ef3d5011b929b00e2da964
parent: b0ec4f33e661cb14730a622d64dbc721e2723825
Author: kaniini <nenolod@gmail.com>
Date:   Fri,  7 Sep 2018 23:55:42 +0000

Merge branch 'add-secure-and-samesite-cookie-flags' into 'develop'

Add Secure and SameSite cookie flags

See merge request pleroma/pleroma!302
Diffstat:
M config/config.exs 3 ++-
M lib/pleroma/web/endpoint.ex 6 +++++-

2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/config/config.exs b/config/config.exs
@@ -32,7 +32,8 @@ config :pleroma, Pleroma.Web.Endpoint,
   protocol: "https",
   secret_key_base: "aK4Abxf29xU9TTDKre9coZPUgevcVCFQJe/5xP/7Lt4BEif6idBIbjupVbOrbKxl",
   render_errors: [view: Pleroma.Web.ErrorView, accepts: ~w(json)],
-  pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2]
+  pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2],
+  secure_cookie_flag: true
 
 # Configures Elixir's Logger
 config :logger, :console,
diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
@@ -49,7 +49,11 @@ defmodule Pleroma.Web.Endpoint do
     Plug.Session,
     store: :cookie,
     key: "_pleroma_key",
-    signing_salt: "CqaoopA2"
+    signing_salt: "CqaoopA2",
+    http_only: true,
+    secure:
+      Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag),
+    extra: "SameSite=Strict"
   )
 
   plug(Pleroma.Web.Router)