+2

cmd/anubis/main.go

··· 51 51 cookiePrefix = flag.String("cookie-prefix", "techaro.lol-anubis", "prefix for browser cookies created by Anubis") 52 52 cookiePartitioned = flag.Bool("cookie-partitioned", false, "if true, sets the partitioned flag on Anubis cookies, enabling CHIPS support") 53 53 hs512Secret = flag.String("hs512-secret", "", "secret used to sign JWTs, uses ed25519 if not set") 54 54 + cookieSecure = flag.Bool("cookie-secure", true, "if true, sets the secure flag on Anubis cookies") 54 55 ed25519PrivateKeyHex = flag.String("ed25519-private-key-hex", "", "private key used to sign JWTs, if not set a random one will be assigned") 55 56 ed25519PrivateKeyHexFile = flag.String("ed25519-private-key-hex-file", "", "file name containing value for ed25519-private-key-hex") 56 57 metricsBind = flag.String("metrics-bind", ":9090", "network address to bind metrics to") ··· 403 404 Target: *target, 404 405 WebmasterEmail: *webmasterEmail, 405 406 OpenGraph: policy.OpenGraph, 407 407 + CookieSecure: *cookieSecure, 406 408 }) 407 409 if err != nil { 408 410 log.Fatalf("can't construct libanubis.Server: %v", err)

+3

docs/docs/CHANGELOG.md

··· 10 10 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 11 11 12 12 ## [Unreleased] 13 13 + <!-- This changes the project to: --> 14 14 + - Add `COOKIE_SECURE` option to set the cookie [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies) 15 15 + - Sets cookie defaults to use [SameSite: None](https://web.dev/articles/samesite-cookies-explained) 13 16 14 17 - Determine the `BIND_NETWORK`/`--bind-network` value from the bind address ([#677](https://github.com/TecharoHQ/anubis/issues/677)). 15 18 - Implement localization system. Find locale files in lib/localization/locales/.

+1

docs/docs/admin/installation.mdx

··· 67 67 | `COOKIE_DYNAMIC_DOMAIN` | false | If set to true, automatically set cookie domain fields based on the hostname of the request. EG: if you are making a request to `anubis.techaro.lol`, the Anubis cookie will be valid for any subdomain of `techaro.lol`. | 68 68 | `COOKIE_EXPIRATION_TIME` | `168h` | The amount of time the authorization cookie is valid for. | 69 69 | `COOKIE_PARTITIONED` | `false` | If set to `true`, enables the [partitioned (CHIPS) flag](https://developers.google.com/privacy-sandbox/cookies/chips), meaning that Anubis inside an iframe has a different set of cookies than the domain hosting the iframe. | 70 70 + | `COOKIE_SECURE` | `true` | If set to `true`, enables the [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies), meaning that the cookies will only be transmitted over HTTPS. If Anubis is used in an unsecure context (plain HTTP), this will be need to be set to false | 70 71 | `DIFFICULTY` | `4` | The difficulty of the challenge, or the number of leading zeroes that must be in successful responses. | 71 72 | `ED25519_PRIVATE_KEY_HEX` | unset | The hex-encoded ed25519 private key used to sign Anubis responses. If this is not set, Anubis will generate one for you. This should be exactly 64 characters long. See below for details. | 72 73 | `ED25519_PRIVATE_KEY_HEX_FILE` | unset | Path to a file containing the hex-encoded ed25519 private key. Only one of this or its sister option may be set. |

+5

lib/anubis_test.go

··· 262 262 263 263 CookieDomain: "127.0.0.1", 264 264 CookiePartitioned: true, 265 265 + CookieSecure: true, 265 266 CookieExpiration: anubis.CookieDefaultExpirationTime, 266 267 }) 267 268 ··· 308 309 309 310 if ckie.Partitioned != srv.opts.CookiePartitioned { 310 311 t.Errorf("wanted partitioned flag %v, got: %v", srv.opts.CookiePartitioned, ckie.Partitioned) 312 312 + } 313 313 + 314 314 + if ckie.Secure != srv.opts.CookieSecure { 315 315 + t.Errorf("wanted secure flag %v, got: %v", srv.opts.CookieSecure, ckie.Secure) 311 316 } 312 317 } 313 318

+1

lib/config.go

··· 44 44 StripBasePrefix bool 45 45 OpenGraph config.OpenGraph 46 46 ServeRobotsTXT bool 47 47 + CookieSecure bool 47 48 } 48 49 49 50 func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {

+20 -12

lib/http.go

··· 23 23 var domainMatchRegexp = regexp.MustCompile(`^((xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$`) 24 24 25 25 type CookieOpts struct { 26 26 - Value string 27 27 - Host string 28 28 - Path string 29 29 - Name string 26 26 + Value string 27 27 + Host string 28 28 + Path string 29 29 + Name string 30 30 + Expiry time.Duration 30 31 } 31 32 32 33 func (s *Server) SetCookie(w http.ResponseWriter, cookieOpts CookieOpts) { ··· 45 46 } 46 47 } 47 48 49 49 + if cookieOpts.Expiry == 0 { 50 50 + cookieOpts.Expiry = s.opts.CookieExpiration 51 51 + } 52 52 + 48 53 http.SetCookie(w, &http.Cookie{ 49 54 Name: name, 50 55 Value: cookieOpts.Value, 51 51 - Expires: time.Now().Add(s.opts.CookieExpiration), 52 52 - SameSite: http.SameSiteLaxMode, 56 56 + Expires: time.Now().Add(cookieOpts.Expiry), 57 57 + SameSite: http.SameSiteNoneMode, 53 58 Domain: domain, 59 59 + Secure: s.opts.CookieSecure, 54 60 Partitioned: s.opts.CookiePartitioned, 55 61 Path: path, 56 62 }) ··· 77 83 Value: "", 78 84 MaxAge: -1, 79 85 Expires: time.Now().Add(-1 * time.Minute), 80 80 - SameSite: http.SameSiteLaxMode, 86 86 + SameSite: http.SameSiteNoneMode, 81 87 Partitioned: s.opts.CookiePartitioned, 82 88 Domain: domain, 89 89 + Secure: s.opts.CookieSecure, 83 90 Path: path, 84 91 }) 85 92 } ··· 132 139 } 133 140 } 134 141 135 135 - http.SetCookie(w, &http.Cookie{ 136 136 - Name: anubis.TestCookieName, 137 137 - Value: challengeStr, 138 138 - Expires: time.Now().Add(30 * time.Minute), 139 139 - Path: "/", 142 142 + s.SetCookie(w, CookieOpts{ 143 143 + Value: challengeStr, 144 144 + Host: r.Host, 145 145 + Path: "/", 146 146 + Name: anubis.TestCookieName, 147 147 + Expiry: 30 * time.Minute, 140 148 }) 141 149 142 150 impl, ok := challenge.Get(rule.Challenge.Algorithm)