luci-base: harden cookie sysauth=

[project/luci.git] / modules / luci-base / luasrc / dispatcher.lua

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 5fc2b80..38932af 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -428,7 +428,9 @@ function dispatch(request)
                                return
                        end
 
-                       http.header("Set-Cookie", 'sysauth=%s; path=%s' %{ sid, build_url() })
+                       http.header("Set-Cookie", 'sysauth=%s; path=%s; HttpOnly%s' %{
+                               sid, build_url(), http.getenv("HTTPS") == "on" and "; secure" or ""
+                       })
                        http.redirect(build_url(unpack(ctx.requestpath)))
                end
 
@@ -442,6 +444,13 @@ function dispatch(request)
                ctx.authuser = sdat.username
        end
 
+       if track.cors and http.getenv("REQUEST_METHOD") == "OPTIONS" then
+               luci.http.status(200, "OK")
+               luci.http.header("Access-Control-Allow-Origin", http.getenv("HTTP_ORIGIN") or "*")
+               luci.http.header("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
+               return
+       end
+
        if c and require_post_security(c.target) then
                if not test_post_security(c) then
                        return