|
|
|
@ -58,14 +58,9 @@ defmodule Pleroma.Web.Endpoint do
|
|
|
|
|
do: "__Host-pleroma_key",
|
|
|
|
|
else: "pleroma_key"
|
|
|
|
|
|
|
|
|
|
same_site =
|
|
|
|
|
if Pleroma.Config.oauth_consumer_enabled?() do
|
|
|
|
|
# Note: "SameSite=Strict" prevents sign in with external OAuth provider
|
|
|
|
|
# (there would be no cookies during callback request from OAuth provider)
|
|
|
|
|
"SameSite=Lax"
|
|
|
|
|
else
|
|
|
|
|
"SameSite=Strict"
|
|
|
|
|
end
|
|
|
|
|
extra =
|
|
|
|
|
Pleroma.Config.get([__MODULE__, :extra_cookie_attrs])
|
|
|
|
|
|> Enum.join(";")
|
|
|
|
|
|
|
|
|
|
# The session will be stored in the cookie and signed,
|
|
|
|
|
# this means its contents can be read but not tampered with.
|
|
|
|
@ -77,7 +72,7 @@ defmodule Pleroma.Web.Endpoint do
|
|
|
|
|
signing_salt: {Pleroma.Config, :get, [[__MODULE__, :signing_salt], "CqaoopA2"]},
|
|
|
|
|
http_only: true,
|
|
|
|
|
secure: secure_cookies,
|
|
|
|
|
extra: same_site
|
|
|
|
|
extra: extra
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Note: the plug and its configuration is compile-time this can't be upstreamed yet
|
|
|
|
|