From 0827fb2c24044daf0f13a3a1271c199988e0259e Mon Sep 17 00:00:00 2001
From: David Hoppenbrouwers <david@salt-inc.org>
Date: Thu, 26 Jan 2023 09:34:26 +0100
Subject: [PATCH] Fix cookie SameSite not being set

---
 Makefile | 4 +++-
 main.py  | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index a249d6a..b852cd6 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ SQLITE = sqlite3
 
 default: venv
 
-test:: venv
+test: venv
 	test/all.sh
 
 venv:
@@ -13,3 +13,5 @@ venv:
 
 forum.db:
 	$(SQLITE) $@ < schema.txt
+
+.PHONY: test
diff --git a/main.py b/main.py
index 40bc13e..b6c47fc 100644
--- a/main.py
+++ b/main.py
@@ -14,6 +14,11 @@ import captcha, password, minimd
 app = Flask(__name__)
 db = DB(os.getenv('DB'))
 
+# This defaults to None, which allows CSRF attacks in FireFox
+# and older versions of Chrome.
+# 'Lax' is sufficient to prevent malicious POST requests.
+app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
+
 class Config:
     pass
 config = Config()