diff options
author | Yorhel <git@yorhel.nl> | 2020-03-20 15:39:28 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2020-03-20 15:39:30 +0100 |
commit | 07c05bac4f89373ce61760f63c6bce8934e70d7d (patch) | |
tree | 0c3dc628b7080281c08804ef90c3f9e874468187 | |
parent | 510a4bec60b2dfd6f81b295aed241dfeff2b4f6a (diff) |
Minor refactor: Move "samesite" cookie handling to vndb.pl
As its now being used from two distinct places.
-rw-r--r-- | lib/VNWeb/Misc/ImageFlagging.pm | 2 | ||||
-rw-r--r-- | lib/VNWeb/Validation.pm | 17 | ||||
-rwxr-xr-x | util/vndb.pl | 7 |
3 files changed, 12 insertions, 14 deletions
diff --git a/lib/VNWeb/Misc/ImageFlagging.pm b/lib/VNWeb/Misc/ImageFlagging.pm index 72f3a3fe..60b2d345 100644 --- a/lib/VNWeb/Misc/ImageFlagging.pm +++ b/lib/VNWeb/Misc/ImageFlagging.pm @@ -149,7 +149,7 @@ TUWF::get qr{/img/(ch|cv|sf)([1-9][0-9]*)}, sub { enrich_token defined($l->[0]{my_sexual}) || auth->permDbmod(), $l; # XXX: permImgmod? framework_ title => "Image flagging for $itype$id", sub { - elm_ 'ImageFlagging', $SEND, { images => $l, single => 1, warn => !tuwf->reqCookie('samesite') }; + elm_ 'ImageFlagging', $SEND, { images => $l, single => 1, warn => !tuwf->samesite() }; }; }; diff --git a/lib/VNWeb/Validation.pm b/lib/VNWeb/Validation.pm index f385802b..f4508d6c 100644 --- a/lib/VNWeb/Validation.pm +++ b/lib/VNWeb/Validation.pm @@ -232,20 +232,11 @@ sub viewset { # itself. We don't want people linking directly to spoilers or sexual content. # If we do get such a request, redirect to the same page without the ?view= # parameter. -# -# This makes use of a cookie with SameSite=Strict rather than the Referer -# header, as the latter is much less reliable nowadays. Though the cookie -# approach is unfortunately a bit uglier. TUWF::hook before => sub { - my $samesite = tuwf->reqCookie('samesite'); - if(!$samesite) { - tuwf->resCookie(samesite => 1, httponly => 1, samesite => 'Strict'); - if(length tuwf->reqGet('view')) { - my $qs = join '&', map { my $k=$_; my @l=tuwf->reqGets($k); map uri_escape($k).'='.uri_escape($_), @l } grep $_ ne 'view', tuwf->reqGets(); - tuwf->resRedirect(tuwf->reqPath().($qs?"?$qs":''), 'temp'); - tuwf->done; - } - } + return if tuwf->samesite || !length tuwf->reqGet('view'); + my $qs = join '&', map { my $k=$_; my @l=tuwf->reqGets($k); map uri_escape($k).'='.uri_escape($_), @l } grep $_ ne 'view', tuwf->reqGets(); + tuwf->resRedirect(tuwf->reqPath().($qs?"?$qs":''), 'temp'); + tuwf->done; }; 1; diff --git a/util/vndb.pl b/util/vndb.pl index 0741bfaf..b7aedb27 100755 --- a/util/vndb.pl +++ b/util/vndb.pl @@ -50,6 +50,9 @@ sub TUWF::Object::imgpath { _path $ROOT, $_[1], $_[2] } # tuwf->imgurl($image_id, $thumb) sub TUWF::Object::imgurl { _path $_[0]{url_static}, $_[1], $_[2] } +# tuwf->samesite() - returns true if this request originated from the same site, i.e. not an external referer. +sub TUWF::Object::samesite { !!tuwf->reqCookie('samesite') } + TUWF::hook before => sub { # If we're running standalone, serve www/ and static/ too. @@ -60,6 +63,10 @@ TUWF::hook before => sub { } } + # Use a 'SameSite=Strict' cookie to determine whether this page was loaded from internal or external. + # Ought to be more reliable than checking the Referer header, but it's unfortunately a bit uglier. + tuwf->resCookie(samesite => 1, httponly => 1, samesite => 'Strict') if !tuwf->samesite; + # load some stats (used for about all pageviews, anyway) tuwf->{stats} = tuwf->dbStats; }; |