erp5_core: allow instances to surchage the SameSite value

c1bc605a · Romain Courteaud · 8c65094a · c1bc605a · c1bc605a · c1bc605a
Commit c1bc605a authored Jan 16, 2020 by Romain Courteaud
3 changed files
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/ERP5Site_getSameSite.py
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/ERP5Site_getSameSite.py
+return 'Lax'
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/ERP5Site_getSameSite.xml
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/ERP5Site_getSameSite.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>host=None, port=None, path=None</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Site_getSameSite</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/setAuthCookie.py
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/setAuthCookie.py
@@ -15,12 +15,20 @@ portal.portal_sessions[
    )
  )
 ]['ac_renew'] = ac_renew
+
+REQUEST_DICT = getattr(portal, 'REQUEST', {})
+
+same_site = portal.ERP5Site_getSameSite(host=REQUEST_DICT.get('HTTP_HOST', None))
+if same_site not in ('None', 'Lax', 'Strict'):
+  # Do not use the SameSite attribute
+  same_site = None
+
 resp.setCookie(
  name=cookie_name,
  value=cookie_value,
  path='/',
-  secure=getattr(portal, 'REQUEST', {}).get('SERVER_URL', '').startswith('https:'),
+  secure=REQUEST_DICT.get('SERVER_URL', '').startswith('https:'),
  http_only=True,
-  same_site='Lax',
+  same_site=same_site,
  **kw
 )