add extra_cookie_attrs option to config
Allow instance admins to set their own SameSite cookie policy from the config. Default value in the config is `Lax`.
This commit is contained in:
parent
776f1e3bdf
commit
10096bbf2b
@ -154,7 +154,10 @@
|
||||
signing_salt: "CqaoopA2",
|
||||
render_errors: [view: Pleroma.Web.ErrorView, accepts: ~w(json)],
|
||||
pubsub: [name: Pleroma.PubSub, adapter: Phoenix.PubSub.PG2],
|
||||
secure_cookie_flag: true
|
||||
secure_cookie_flag: true,
|
||||
extra_cookie_attrs: [
|
||||
"SameSite=Lax"
|
||||
]
|
||||
|
||||
# Configures Elixir's Logger
|
||||
config :logger, :console,
|
||||
|
@ -221,6 +221,8 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i
|
||||
- `scheme` - e.g `http`, `https`
|
||||
- `port`
|
||||
- `path`
|
||||
* `extra_cookie_attrs` - a list of `Key=Value` strings to be added as non-standard cookie attributes. Defaults to `["SameSite=Lax"]`. See the [SameSite article](https://www.owasp.org/index.php/SameSite) on OWASP for more info.
|
||||
|
||||
|
||||
|
||||
**Important note**: if you modify anything inside these lists, default `config.exs` values will be overwritten, which may result in breakage, to make sure this does not happen please copy the default value for the list from `config.exs` and modify/add only what you need
|
||||
@ -442,6 +444,8 @@ The server should also be started with `OAUTH_CONSUMER_STRATEGIES="..." mix phx.
|
||||
|
||||
Note: each strategy requires separate setup (on external provider side and Pleroma side). Below are the guidelines on setting up most popular strategies.
|
||||
|
||||
Note: make sure that `"SameSite=Lax"` is set in `extra_cookie_attrs` when you have this feature enabled. OAuth consumer mode will not work with `"SameSite=Strict"`
|
||||
|
||||
* For Twitter, [register an app](https://developer.twitter.com/en/apps), configure callback URL to https://<your_host>/oauth/twitter/callback
|
||||
|
||||
* For Facebook, [register an app](https://developers.facebook.com/apps), configure callback URL to https://<your_host>/oauth/facebook/callback, enable Facebook Login service at https://developers.facebook.com/apps/<app_id>/fb-login/settings/
|
||||
|
Loading…
Reference in New Issue
Block a user