squidy/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2026-01-03 06:02:29 -06:00
Code Issues Packages Projects Releases Wiki Activity

WebUI: Implement "Secure" flag for session cookie

Browse Source 
Closes #11724.

Option is enabled by default for users using qBittorrent's built-in HTTPS capabilities. This flag will never be set if qBittorrent is using plain HTTP.

Users using HTTPS reverse proxies, like "qbt <-> (http) <-> proxy <-> (https) <-> user" should override the flag in the proxy in order to set it, if they wish to do so.
This commit is contained in:
FranciscoPombal
2019-12-23 17:58:08 +00:00
parent 18de63f743
commit 691d5e5d89
8 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/webui/www/private/views/preferences.html
View File

@@ -756,6 +756,10 @@
<input type="checkbox" id="csrf_protection_checkbox" />
<label for="csrf_protection_checkbox">QBT_TR(Enable Cross-Site Request Forgery (CSRF) protection)QBT_TR[CONTEXT=OptionsDialog]</label>
</div>
<div class="formRow">
<input type="checkbox" id="secureCookieCheckbox" />
<label for="secureCookieCheckbox">QBT_TR(Enable cookie Secure flag (requires HTTPS))QBT_TR[CONTEXT=OptionsDialog]</label>
</div>
<fieldset class="settings">
<legend>
@@ -1350,6 +1354,7 @@
const isUseHttpsEnabled = $('use_https_checkbox').getProperty('checked');
$('ssl_cert_text').setProperty('disabled', !isUseHttpsEnabled);
$('ssl_key_text').setProperty('disabled', !isUseHttpsEnabled);
$('secureCookieCheckbox').setProperty('disabled', !isUseHttpsEnabled);
};
const updateBypasssAuthSettings = function() {
@@ -1717,6 +1722,7 @@
// Security
$('clickjacking_protection_checkbox').setProperty('checked', pref.web_ui_clickjacking_protection_enabled);
$('csrf_protection_checkbox').setProperty('checked', pref.web_ui_csrf_protection_enabled);
$('secureCookieCheckbox').setProperty('checked', pref.web_ui_secure_cookie_enabled);
$('host_header_validation_checkbox').setProperty('checked', pref.web_ui_host_header_validation_enabled);
updateHostHeaderValidationSettings();
@@ -2082,6 +2088,7 @@
settings.set('web_ui_clickjacking_protection_enabled', $('clickjacking_protection_checkbox').getProperty('checked'));
settings.set('web_ui_csrf_protection_enabled', $('csrf_protection_checkbox').getProperty('checked'));
settings.set('web_ui_secure_cookie_enabled', $('secureCookieCheckbox').getProperty('checked'));
settings.set('web_ui_host_header_validation_enabled', $('host_header_validation_checkbox').getProperty('checked'));
// Update my dynamic domain name