Allow cookie secure flag on localhost

The localhost is 'potentially trustworthy' and RFC 6265 allows setting secure flag in this case. https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.5 https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
qbittorrent · Aug 25, 2024 · be71609 · be71609
1 parent 58eab8d
commit be71609
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 6 deletions.
diff --git a/src/gui/optionsdialog.cpp b/src/gui/optionsdialog.cpp
@@ -1273,7 +1273,6 @@ void OptionsDialog::loadWebUITabOptions()
     // Security
     m_ui->checkClickjacking->setChecked(pref->isWebUIClickjackingProtectionEnabled());
     m_ui->checkCSRFProtection->setChecked(pref->isWebUICSRFProtectionEnabled());
-    m_ui->checkSecureCookie->setEnabled(pref->isWebUIHttpsEnabled());
     m_ui->checkSecureCookie->setChecked(pref->isWebUISecureCookieEnabled());
     m_ui->groupHostHeaderValidation->setChecked(pref->isWebUIHostHeaderValidationEnabled());
     m_ui->textServerDomains->setText(pref->getServerDomains());
@@ -1315,7 +1314,6 @@ void OptionsDialog::loadWebUITabOptions()
 
     connect(m_ui->checkClickjacking, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
     connect(m_ui->checkCSRFProtection, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
-    connect(m_ui->checkWebUIHttps, &QGroupBox::toggled, m_ui->checkSecureCookie, &QWidget::setEnabled);
     connect(m_ui->checkSecureCookie, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
     connect(m_ui->groupHostHeaderValidation, &QGroupBox::toggled, this, &ThisType::enableApplyButton);
     connect(m_ui->textServerDomains, &QLineEdit::textChanged, this, &ThisType::enableApplyButton);

diff --git a/src/gui/optionsdialog.ui b/src/gui/optionsdialog.ui
@@ -3675,7 +3675,7 @@ Specify an IPv4 or IPv6 address. You can specify &quot;0.0.0.0&quot; for any IPv
                   <item>
                    <widget class="QCheckBox" name="checkSecureCookie">
                     <property name="text">
-                     <string>Enable cookie Secure flag (requires HTTPS)</string>
+                     <string>Enable cookie Secure flag (requires HTTPS or localhost)</string>
                     </property>
                    </widget>
                   </item>

diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
@@ -744,7 +744,7 @@ void WebApplication::sessionStart()
 
     QNetworkCookie cookie {m_sessionCookieName.toLatin1(), m_currentSession->id().toLatin1()};
     cookie.setHttpOnly(true);
-    cookie.setSecure(m_isSecureCookieEnabled && m_isHttpsEnabled);
+    cookie.setSecure(m_isSecureCookieEnabled && (m_isHttpsEnabled || env().clientAddress.isLoopback()));
     cookie.setPath(u"/"_s);
     if (m_isCSRFProtectionEnabled)
         cookie.setSameSitePolicy(QNetworkCookie::SameSite::Strict);

diff --git a/src/webui/www/private/views/preferences.html b/src/webui/www/private/views/preferences.html
@@ -980,7 +980,7 @@
             </div>
             <div class="formRow">
                 <input type="checkbox" id="secureCookieCheckbox">
-                <label for="secureCookieCheckbox">QBT_TR(Enable cookie Secure flag (requires HTTPS))QBT_TR[CONTEXT=OptionsDialog]</label>
+                <label for="secureCookieCheckbox">QBT_TR(Enable cookie Secure flag (requires HTTPS or localhost))QBT_TR[CONTEXT=OptionsDialog]</label>
             </div>
 
             <fieldset class="settings">
@@ -1957,7 +1957,6 @@
             const isUseHttpsEnabled = $("use_https_checkbox").checked;
             $("ssl_cert_text").disabled = !isUseHttpsEnabled;
             $("ssl_key_text").disabled = !isUseHttpsEnabled;
-            $("secureCookieCheckbox").disabled = !isUseHttpsEnabled;
         };
 
         const updateBypasssAuthSettings = function() {