diff --git a/docs/docs/start/config.md b/docs/docs/start/config.md index 6f76b2bccc16..c9035672e1e7 100644 --- a/docs/docs/start/config.md +++ b/docs/docs/start/config.md @@ -94,13 +94,14 @@ Depending on how your InvenTree installation is configured, you will need to pay | --- | --- | --- | --- | | INVENTREE_ALLOWED_HOSTS | allowed_hosts | List of allowed hosts | `*` | | INVENTREE_TRUSTED_ORIGINS | trusted_origins | List of trusted origins. Refer to the [django documentation]({% include "django.html" %}/ref/settings/#csrf-trusted-origins) | Uses the *INVENTREE_SITE_URL* parameter, if set. Otherwise, an empty list. | -| INVENTREE_CORS_ORIGIN_ALLOW_ALL | cors.allow_all | Allow all remote URLS for CORS checks | False | +| INVENTREE_CORS_ORIGIN_ALLOW_ALL | cors.allow_all | Allow all remote URLS for CORS checks | `False` | | INVENTREE_CORS_ORIGIN_WHITELIST | cors.whitelist | List of whitelisted CORS URLs. Refer to the [django-cors-headers documentation](https://github.com/adamchainz/django-cors-headers#cors_allowed_origins-sequencestr) | Uses the *INVENTREE_SITE_URL* parameter, if set. Otherwise, an empty list. | | INVENTREE_CORS_ORIGIN_REGEX | cors.regex | List of regular expressions for CORS whitelisted URL patterns | *Empty list* | -| INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | False | -| INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | False | -| INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | True | -| INVENTREE_SESSION_COOKIE_SECURE | session_cookie_secure | Enforce secure session cookies | False | +| INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | `True` | +| INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | `False` | +| INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | `False` | +| INVENTREE_SESSION_COOKIE_SECURE | cookie.secure | Enforce secure session cookies | `False` | +| INVENTREE_COOKIE_SAMESITE | cookie.samesite | Session cookie mode. Must be one of `Strict | Lax | None`. Refer to the [mozilla developer docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) for more information. | `None` | ### Proxy Settings diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py index 2ef1fbc44c7c..13da19b11b91 100644 --- a/src/backend/InvenTree/InvenTree/settings.py +++ b/src/backend/InvenTree/InvenTree/settings.py @@ -1106,13 +1106,27 @@ ) sys.exit(-1) +COOKIE_MODE = ( + str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'None')) + .lower() + .strip() +) + +valid_cookie_modes = {'lax': 'Lax', 'strict': 'Strict', 'none': None, 'null': None} + +if COOKIE_MODE not in valid_cookie_modes.keys(): + logger.error('Invalid cookie samesite mode: %s', COOKIE_MODE) + sys.exit(-1) + +COOKIE_MODE = valid_cookie_modes[COOKIE_MODE.lower()] + # Additional CSRF settings CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' CSRF_COOKIE_NAME = 'csrftoken' -CSRF_COOKIE_SAMESITE = 'Lax' -SESSION_COOKIE_SAMESITE = 'Lax' +CSRF_COOKIE_SAMESITE = COOKIE_MODE +SESSION_COOKIE_SAMESITE = COOKIE_MODE SESSION_COOKIE_SECURE = get_boolean_setting( - 'INVENTREE_SESSION_COOKIE_SECURE', 'session_cookie_secure', False + 'INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', False ) USE_X_FORWARDED_HOST = get_boolean_setting( diff --git a/src/backend/InvenTree/config_template.yaml b/src/backend/InvenTree/config_template.yaml index 8e4efeb54c25..b9bb21222035 100644 --- a/src/backend/InvenTree/config_template.yaml +++ b/src/backend/InvenTree/config_template.yaml @@ -181,6 +181,11 @@ use_x_forwarded_host: false # Override with the environment variable INVENTREE_USE_X_FORWARDED_PORT use_x_forwarded_port: false +# Cookie settings +cookie: + secure: false + samesite: none + # Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers) cors: allow_all: true