From 6407eb90db0ad73f39b53a1db795c58747e53c74 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Mon, 29 Apr 2024 11:18:55 +0100 Subject: [PATCH] Explicitly set cookie SameSite attribute to Lax With 'Secure' set, it may default to 'None', which we don't need or want. 'Strict' is not suitable for session cookies - the user would see the login screen when navigating from another site (e.g. hosting dashboard) and we already have CSRF protection on forms. --- snikket_web/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/snikket_web/__init__.py b/snikket_web/__init__.py index 2651cd2..7c5fe91 100644 --- a/snikket_web/__init__.py +++ b/snikket_web/__init__.py @@ -213,6 +213,7 @@ def create_app() -> quart.Quart: app.config["ABUSE_EMAIL"] = config.abuse_email app.config["SECURITY_EMAIL"] = config.security_email app.config["SESSION_COOKIE_SECURE"] = True + app.config["SESSION_COOKIE_SAMESITE"] = "Lax" app.context_processor(proc) app.register_error_handler(