Cannot access protected pads if HTTPOnly & Secure cookie configured in Owncloud

otetard / ownpad

Ownpad is a Nextcloud application that allows to create and open Etherpad and Ethercalc documents.

GNU Affero General Public License v3.0

58 stars 25 forks source link

Cannot access protected pads if HTTPOnly & Secure cookie configured in Owncloud #83

Closed m0urs closed 5 years ago

m0urs commented 5 years ago

I can create protected pads but not access protected pads if I configure my Owncloud instance to use secure cookies.

The issue happens if I add the following directive to my Owncloud Apache config:

Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"

If I disable it, everything works fine.

Unprotected pads work fine even with that setting.

Any idea what needs to be done so that I can use this configuration with Ownpad?

otetard commented 5 years ago

The cookie should be correctly set by Ownpad, but the HttpOnly might prevent Etherpad from reading able it. I had a quick look, the cookie seems to be retrieved in a JavaScript code:

https://github.com/ether/etherpad-lite/blob/d4b15c01d5c518a3fc11e121afdd9b880827a526/src/static/js/pad.js#L160

m0urs commented 5 years ago

Ah, thanks for that hint. Google tells me that it is not possible to read a HTTPOnly cookie via Javascript. So I guess there is no or no simple solution for that issue and I might need to live with it and disable that directive on my Nextcloud instance.