From 31d6065a85f51620e282112acef66aa9c92dc749 Mon Sep 17 00:00:00 2001
From: Alejandro Sirgo Rica <asirgo@soleta.eu>
Date: Thu, 27 Jun 2024 16:35:45 +0200
Subject: ogcp: set default SameSite attribute in session cookie

Set the SameSite attribute to 'Lax' if not defined.

The SameSite attribute is a cross-site tracking prevention measure
and defines when cookies are sent within the HTTP headers and
the cases when they are not sent.

The 'Lax' configuration has the following features:
- Cookies are sent with same domain requests.
- Cookies are sent when the user navigates to your site by clicking
  a link or submitting a form from another site.
- Not sent with requests made from other sites such as embeded content.

Prevent warning from browsers such as Firefox from complaining
about undefined SameSite value.
---
 ogcp/__init__.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ogcp/__init__.py b/ogcp/__init__.py
index b0ef164..0e16630 100644
--- a/ogcp/__init__.py
+++ b/ogcp/__init__.py
@@ -16,6 +16,10 @@ ogcp_cfg_path = 'cfg/ogcp.json'
 
 app = Flask(__name__)
 app.config.from_json(ogcp_cfg_path)
+
+if 'SESSION_COOKIE_SAMESITE' not in app.config or not app.config['SESSION_COOKIE_SAMESITE']:
+    app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
+
 app.secret_key = urandom(16)
 
 class NoScopeStatus(logging.Filter):
-- 
cgit v1.2.3-18-g5258