diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2018-01-04 13:10:35 +0000 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2018-01-04 15:32:24 +0000 |
| commit | a9932722b4cf2103d35f8f4c23ad2918aad0a96c (patch) | |
| tree | 15124df09ba70b16a645cc9dd403d4f0f99ee481 /perllib | |
| parent | 3af2658153e35599c50a51c3a85a05e0e365e071 (diff) | |
Include "SameSite=Lax" with all set cookies.
This prevents FixMyStreet cookies from being sent from third-party
<img>s and the like, in supporting browsers.
Diffstat (limited to 'perllib')
| -rw-r--r-- | perllib/FixMyStreet/App.pm | 1 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Engine.pm | 68 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Response.pm | 2 |
3 files changed, 70 insertions, 1 deletions
diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm index e47336b7c..390300093 100644 --- a/perllib/FixMyStreet/App.pm +++ b/perllib/FixMyStreet/App.pm @@ -98,6 +98,7 @@ __PACKAGE__->config( ); __PACKAGE__->response_class('FixMyStreet::App::Response'); +__PACKAGE__->engine_class('FixMyStreet::App::Engine'); # Start the application __PACKAGE__->setup(); diff --git a/perllib/FixMyStreet/App/Engine.pm b/perllib/FixMyStreet/App/Engine.pm new file mode 100644 index 000000000..b73701f49 --- /dev/null +++ b/perllib/FixMyStreet/App/Engine.pm @@ -0,0 +1,68 @@ +package FixMyStreet::App::Engine; + +use Moose; +extends 'Catalyst::Engine'; + +use CGI::Cookie; +use utf8; + +use namespace::clean -except => 'meta'; + +=head1 NAME + +FixMyStreet::App::Engine - Catalyst Engine wrapper + +=head1 SYNOPSIS + +See L<Catalyst::Engine>. + +=head1 METHODS + +=head2 $self->finalize_cookies($c) + +Create CGI::Cookie objects from C<< $c->res->cookies >>, and set them as +response headers. Adds a C<samesite=lax> part. + +=cut + +sub finalize_cookies { + my ( $self, $c ) = @_; + + my @cookies; + my $response = $c->response; + + foreach my $name (keys %{ $response->cookies }) { + + my $val = $response->cookies->{$name}; + + my $cookie = ( + blessed($val) + ? $val + : CGI::Cookie->new( + -name => $name, + -value => $val->{value}, + -expires => $val->{expires}, + -domain => $val->{domain}, + -path => $val->{path}, + -secure => $val->{secure} || 0, + -httponly => $val->{httponly} || 0, + -samesite => 'Lax', + ) + ); + if (!defined $cookie) { + $c->log->warn("undef passed in '$name' cookie value - not setting cookie") + if $c->debug; + next; + } + + push @cookies, $cookie->as_string; + } + + for my $cookie (@cookies) { + $response->headers->push_header( 'Set-Cookie' => $cookie ); + } +} + +__PACKAGE__->meta->make_immutable; + +1; diff --git a/perllib/FixMyStreet/App/Response.pm b/perllib/FixMyStreet/App/Response.pm index 16ebf995f..6b32e6ebb 100644 --- a/perllib/FixMyStreet/App/Response.pm +++ b/perllib/FixMyStreet/App/Response.pm @@ -13,7 +13,7 @@ around 'redirect' => sub { return $self->$orig() unless @_; # getter my $agent = $self->_context->request->user_agent; - return $self->$orig(@_) unless $agent =~ /Edge\/14/; # Only care about Edge + return $self->$orig(@_) unless $agent && $agent =~ /Edge\/14/; # Only care about Edge # Instead of a redirect, output HTML that redirects $self->body(<<END |