commit 47ab525ca498bf8699e043aa66c9cabe63d80bfd Author: Cecylia Bocovich <cohosh@torproject.org> Date: Thu Jul 29 08:08:58 2021 -0400 Add secure and samesite flags to badge cookie It looks like there have been several browser security improvements to prevent CSRF attacks. Chrome and Firefox now require cross-site cookies to have the secure and samesite attributes set. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute https://www.chromium.org/updates/same-site --- init-badge.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init-badge.js b/init-badge.js index 3de6159..171d5c0 100644 --- a/init-badge.js +++ b/init-badge.js @@ -100,7 +100,7 @@ var COOKIE_LIFETIME = "Thu, 01 Jan 2038 00:00:00 GMT"; var COOKIE_EXPIRE = "Thu, 01 Jan 1970 00:00:01 GMT"; function setSnowflakeCookie(val, expires) { - document.cookie = `${COOKIE_NAME}=${val}; path=/; expires=${expires};`; + document.cookie = `${COOKIE_NAME}=${val}; path=/; expires=${expires}; secure=true; samesite=none;`; } const defaultLang = 'en_US';