From 72cde6dfde440dce4c66e19c108864a1df1ebca5 Mon Sep 17 00:00:00 2001
From: Manuel <manuel.kroeber@gmail.com>
Date: Tue, 27 Sep 2022 23:58:47 +0200
Subject: [PATCH] fix:(middlewares.go) - Set Cookie SameSite mode to Strict -
 1776 (#1777)

* None is deprecated and will fallback to Lax in the future.
* Using Strict is future proof and provides additional CSR protection

Signed-off-by: Manuel Kroeber <manuel.kroeber@gmail.com>

Signed-off-by: Manuel Kroeber <manuel.kroeber@gmail.com>
---
 server/middlewares.go          | 2 +-
 server/subsonic/middlewares.go | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/middlewares.go b/server/middlewares.go
index 9f291e26a..52399da34 100644
--- a/server/middlewares.go
+++ b/server/middlewares.go
@@ -112,7 +112,7 @@ func clientUniqueIdAdder(next http.Handler) http.Handler {
 				MaxAge:   consts.CookieExpiry,
 				HttpOnly: true,
 				Secure:   true,
-				SameSite: http.SameSiteNoneMode,
+				SameSite: http.SameSiteStrictMode,
 				Path:     "/",
 			}
 			http.SetCookie(w, c)
diff --git a/server/subsonic/middlewares.go b/server/subsonic/middlewares.go
index b66f23eff..50345a405 100644
--- a/server/subsonic/middlewares.go
+++ b/server/subsonic/middlewares.go
@@ -161,6 +161,7 @@ func getPlayer(players core.Players) func(next http.Handler) http.Handler {
 					Value:    player.ID,
 					MaxAge:   consts.CookieExpiry,
 					HttpOnly: true,
+					SameSite: http.SameSiteStrictMode,
 					Path:     "/",
 				}
 				http.SetCookie(w, cookie)