From fcdeb95ed646c34934ca7c55897112bb2b5b03bc Mon Sep 17 00:00:00 2001
From: MuchMilk <105020331+MuchMilk@users.noreply.github.com>
Date: Tue, 12 Dec 2023 21:31:39 +0000
Subject: [PATCH] Set secure policy on antiforgery cookie to always (#1052)

* Set secure policy on antiforgery cookie to always

* Only include secure policy if base url begins with https

* Replace config with using base url generator

---------

Co-authored-by: James Sibbit <james.sibbit@d-fine.com>
---
 .../Areas/IdentityServer/Config/IdentityServerServices.cs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
index c25e7736e..b5a730c3b 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs
@@ -126,6 +126,14 @@ public static class IdentityServerServices
             var identityOptions = c.GetRequiredService<IOptions<MyIdentityOptions>>().Value;
 
             options.SuppressXFrameOptionsHeader = identityOptions.SuppressXFrameOptionsHeader;
+
+            // Set antiforgery cookie secure policy to always for https
+            var baseUrl = c.GetRequiredService<IUrlGenerator>().BuildUrl();
+
+            if (baseUrl.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+            {
+                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+            }
         });
 
         services.Configure<OpenIddictServerOptions>((c, options) =>