Merge pull request #16699 from schlawg/fix-relayVideo-cookie-firefox-…

…warning use SameSite None on secure cookies
lichess-org · Dec 29, 2024 · 75e7b57 · 75e7b57
2 parents 1bdd4a8 + 5f1390c
commit 75e7b57
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/modules/security/src/main/LilaCookie.scala b/modules/security/src/main/LilaCookie.scala
@@ -4,10 +4,11 @@ package security
 import play.api.mvc.*
 import scalalib.SecureRandom
 
-import lila.core.config.NetDomain
+import lila.core.config.{ NetDomain, NetConfig }
 import lila.core.security.LilaCookie
 
-final class LilaCookie(domain: NetDomain, baker: SessionCookieBaker) extends lila.core.security.LilaCookie:
+final class LilaCookie(domain: NetDomain, baker: SessionCookieBaker, config: NetConfig)
+    extends lila.core.security.LilaCookie:
 
   private val cookieDomain = domain.value.split(":").head
 
@@ -44,12 +45,11 @@ final class LilaCookie(domain: NetDomain, baker: SessionCookieBaker) extends lil
     Cookie(
       name,
       value,
-      if maxAge.has(0) then none
-      else maxAge.orElse(baker.maxAge).orElse(86400.some),
-      "/",
-      cookieDomain.some,
-      baker.secure || req.headers.get("X-Forwarded-Proto").contains("https"),
-      httpOnly | baker.httpOnly
+      maxAge = if maxAge.has(0) then none else maxAge.orElse(baker.maxAge).orElse(86400.some),
+      path = "/",
+      domain = cookieDomain.some,
+      httpOnly = httpOnly | baker.httpOnly,
+      sameSite = (if config.minifiedAssets then Cookie.SameSite.None else Cookie.SameSite.Lax).some
     )
 
   def isRememberMe(req: RequestHeader) = !req.session.get(LilaCookie.noRemember).has("1")