Merge pull request #9772 from nextcloud/feature/8123/same_site_cookie_config_php
Move samesite cookie opt-out to config.php
This commit is contained in:
commit
c60c8ac675
|
@ -1595,4 +1595,16 @@ $CONFIG = array(
|
|||
*/
|
||||
'gs.federation' => 'internal',
|
||||
|
||||
/**
|
||||
* List of incompatible user agents opted out from Same Site Cookie Protection.
|
||||
* Some user agents are notorious and don't really properly follow HTTP
|
||||
* specifications. For those, have an opt-out.
|
||||
*
|
||||
* WARNING: only use this if you know what you are doing
|
||||
*/
|
||||
'csrf.optout' => array(
|
||||
'/^WebDAVFS/', // OS X Finder
|
||||
'/^Microsoft-WebDAV-MiniRedir/', // Windows webdav drive
|
||||
),
|
||||
|
||||
);
|
||||
|
|
17
lib/base.php
17
lib/base.php
|
@ -523,11 +523,18 @@ class OC {
|
|||
// specifications. For those, have an automated opt-out. Since the protection
|
||||
// for remote.php is applied in base.php as starting point we need to opt out
|
||||
// here.
|
||||
$incompatibleUserAgents = [
|
||||
// OS X Finder
|
||||
'/^WebDAVFS/',
|
||||
'/^Microsoft-WebDAV-MiniRedir/',
|
||||
];
|
||||
$incompatibleUserAgents = \OC::$server->getConfig()->getSystemValue('csrf.optout');
|
||||
|
||||
// Fallback, if csrf.optout is unset
|
||||
if (!is_array($incompatibleUserAgents)) {
|
||||
$incompatibleUserAgents = [
|
||||
// OS X Finder
|
||||
'/^WebDAVFS/',
|
||||
// Windows webdav drive
|
||||
'/^Microsoft-WebDAV-MiniRedir/',
|
||||
];
|
||||
}
|
||||
|
||||
if($request->isUserAgent($incompatibleUserAgents)) {
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue