From 7b00a5966145e98cc4ee2f1edcfd3a3a28bd87b0 Mon Sep 17 00:00:00 2001
From: David Mehren <git@herrmehren.de>
Date: Sat, 14 Aug 2021 14:08:39 +0200
Subject: [PATCH] Set secure flag for non-session cookies

This adds the secure flag to all cookies that are set
in the frontend for storing various settings.
If `SameSite=none` is set (like when embedding the instance is allowed),
 the `secure` flag is necessary to set any cookie.

Signed-off-by: David Mehren <git@herrmehren.de>
---
 public/docs/release-notes.md  |  1 +
 public/js/index.js            |  3 ++-
 public/js/lib/common/login.js | 11 ++++++++---
 public/js/lib/editor/index.js | 24 ++++++++++++++++--------
 public/js/locale.js           |  3 ++-
 5 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 7134a3d92..265252e71 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -12,6 +12,7 @@
 ### Bugfixes
 - Fix crash when trying to read the current Git commit on startup 
 - Fix endless loop on shutdown when HedgeDoc can't connect to the database
+- Ensure that all cookies are set with the `secure` flag, if HedgeDoc is loaded via HTTPS
 
 ## <i class="fa fa-tag"></i> 1.8.2 <i class="fa fa-calendar-o"></i> 2021-05-11
 
diff --git a/public/js/index.js b/public/js/index.js
index c8cb48f1f..80b23d278 100644
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -2098,7 +2098,8 @@ function toggleNightMode () {
   } else {
     Cookies.set('nightMode', !isActive, {
       expires: 365,
-      sameSite: window.cookiePolicy
+      sameSite: window.cookiePolicy,
+      secure: window.location.protocol === 'https:'
     })
   }
 }
diff --git a/public/js/lib/common/login.js b/public/js/lib/common/login.js
index 88e8f8cfc..6990845de 100644
--- a/public/js/lib/common/login.js
+++ b/public/js/lib/common/login.js
@@ -20,15 +20,20 @@ export function resetCheckAuth () {
 export function setLoginState (bool, id) {
   Cookies.set('loginstate', bool, {
     expires: 365,
-    sameSite: window.cookiePolicy
+    sameSite: window.cookiePolicy,
+    secure: window.location.protocol === 'https:'
   })
   if (id) {
     Cookies.set('userid', id, {
       expires: 365,
-      sameSite: window.cookiePolicy
+      sameSite: window.cookiePolicy,
+      secure: window.location.protocol === 'https:'
     })
   } else {
-    Cookies.remove('userid')
+    Cookies.remove('userid', {
+      sameSite: window.cookiePolicy,
+      secure: window.location.protocol === 'https:'
+    })
   }
   lastLoginState = bool
   lastUserId = id
diff --git a/public/js/lib/editor/index.js b/public/js/lib/editor/index.js
index 45ae8d9f7..da15a29dd 100644
--- a/public/js/lib/editor/index.js
+++ b/public/js/lib/editor/index.js
@@ -343,13 +343,15 @@ export default class Editor {
       if (this.editor.getOption('indentWithTabs')) {
         Cookies.set('indent_type', 'tab', {
           expires: 365,
-          sameSite: window.cookiePolicy
+          sameSite: window.cookiePolicy,
+          secure: window.location.protocol === 'https:'
         })
         type.text('Tab Size:')
       } else {
         Cookies.set('indent_type', 'space', {
           expires: 365,
-          sameSite: window.cookiePolicy
+          sameSite: window.cookiePolicy,
+          secure: window.location.protocol === 'https:'
         })
         type.text('Spaces:')
       }
@@ -361,12 +363,14 @@ export default class Editor {
       if (this.editor.getOption('indentWithTabs')) {
         Cookies.set('tab_size', unit, {
           expires: 365,
-          sameSite: window.cookiePolicy
+          sameSite: window.cookiePolicy,
+          secure: window.location.protocol === 'https:'
         })
       } else {
         Cookies.set('space_units', unit, {
           expires: 365,
-          sameSite: window.cookiePolicy
+          sameSite: window.cookiePolicy,
+          secure: window.location.protocol === 'https:'
         })
       }
       widthLabel.text(unit)
@@ -435,7 +439,8 @@ export default class Editor {
       const keymap = this.editor.getOption('keyMap')
       Cookies.set('keymap', keymap, {
         expires: 365,
-        sameSite: window.cookiePolicy
+        sameSite: window.cookiePolicy,
+        secure: window.location.protocol === 'https:'
       })
       label.text(keymap)
       this.restoreOverrideEditorKeymap()
@@ -484,7 +489,8 @@ export default class Editor {
       this.editor.setOption('theme', theme)
       Cookies.set('theme', theme, {
         expires: 365,
-        sameSite: window.cookiePolicy
+        sameSite: window.cookiePolicy,
+        secure: window.location.protocol === 'https:'
       })
 
       checkTheme()
@@ -530,7 +536,8 @@ export default class Editor {
       }
       Cookies.set('spellcheck', mode === 'spell-checker', {
         expires: 365,
-        sameSite: window.cookiePolicy
+        sameSite: window.cookiePolicy,
+        secure: window.location.protocol === 'https:'
       })
 
       checkSpellcheck()
@@ -577,7 +584,8 @@ export default class Editor {
     if (overrideBrowserKeymap.is(':checked')) {
       Cookies.set('preferences-override-browser-keymap', true, {
         expires: 365,
-        sameSite: window.cookiePolicy
+        sameSite: window.cookiePolicy,
+        secure: window.location.protocol === 'https:'
       })
       this.restoreOverrideEditorKeymap()
     } else {
diff --git a/public/js/locale.js b/public/js/locale.js
index ccc1d0e45..bf90e2c8e 100644
--- a/public/js/locale.js
+++ b/public/js/locale.js
@@ -34,7 +34,8 @@ if (localeSelector.length > 0) {
   localeSelector.change(function () {
     Cookies.set('locale', $(this).val(), {
       expires: 365,
-      sameSite: window.cookiePolicy
+      sameSite: window.cookiePolicy,
+      secure: window.location.protocol === 'https:'
     })
     window.location.reload()
   })