etherpad-lite/doc
John McLear 21e1ae2fa3
security: allow integrator sessionID cookie to be HttpOnly (#7045) (#7755)
* security: allow integrator sessionID cookie to be HttpOnly (#7045)

The integrator-set sessionID cookie was forced to be non-HttpOnly because
Etherpad's own client JS read it via document.cookie and forwarded it in
the socket.io CLIENT_READY payload, exposing it to XSS.

Mirror the GDPR PR3 author-token migration: read sessionID from the
socket.io handshake's Cookie header in PadMessageHandler.handleClientReady,
falling back to the legacy message-level field with a one-time deprecation
warning per socket. Drop the client-side Cookies.get('sessionID') reads in
pad.ts and timeslider.ts so the field is no longer sent by current clients.

Existing integrators that set sessionID without HttpOnly keep working
unchanged; the field on the message becomes optional and integrators
should now mark the cookie HttpOnly; Secure; SameSite=Lax.

Closes #7045

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(security): treat undecodable handshake cookies as absent (Qodo #7755)

decodeURIComponent() throws URIError on malformed values like `%ZZ`. The
unguarded call in PadMessageHandler.handleClientReady's readCookie() let
a single bad cookie abort CLIENT_READY for that socket, allowing
unauthenticated peers to spam server error logs and lock themselves out
of pads.

Catch URIError and treat the value as absent so the legacy message-level
field still serves as a fallback. Other error classes still propagate.
Add a backend test that asserts a `sessionID=%ZZ` cookie no longer
aborts the handshake.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 19:44:55 +01:00
..
.vitepress chore: Rename some occurences of etherpad-lite to etherpad (#7552) 2026-04-19 16:53:57 +02:00
admin feat(updater): tier 3 — auto update with grace window (#7607) (#7720) 2026-05-12 20:50:06 +01:00
api feat(userlist): click a user to open chat with @<name> prefilled (#7660) 2026-05-03 05:40:44 +01:00
assets normalized 3rd level headings and adapted the max-width of the body (#5994) 2023-10-19 22:12:32 +02:00
public Added vitepress for documentation. (#6270) 2024-03-23 20:58:05 +01:00
.gitignore Added vitepress for documentation. (#6270) 2024-03-23 20:58:05 +01:00
cli.md feat(7642): bin/compactStalePads — staleness-gated bulk compaction (#7708) 2026-05-10 22:41:52 +02:00
cookies.adoc normalized 3rd level headings and adapted the max-width of the body (#5994) 2023-10-19 22:12:32 +02:00
cookies.md security: allow integrator sessionID cookie to be HttpOnly (#7045) (#7755) 2026-05-15 19:44:55 +01:00
database.adoc Added docs as asciidoctor with cross platform support. (#5733) 2023-06-21 13:13:31 +01:00
demo.md Added vitepress for documentation. (#6270) 2024-03-23 20:58:05 +01:00
docker.adoc docs(7538): soffice is now optional for docx/pdf (#7707) 2026-05-09 11:29:43 +01:00
docker.md docs(7538): soffice is now optional for docx/pdf (#7707) 2026-05-09 11:29:43 +01:00
documentation.adoc Added docs as asciidoctor with cross platform support. (#5733) 2023-06-21 13:13:31 +01:00
documentation.md Added vitepress for documentation. (#6270) 2024-03-23 20:58:05 +01:00
index.adoc Added docs as asciidoctor with cross platform support. (#5733) 2023-06-21 13:13:31 +01:00
index.md Added vitepress for documentation. (#6270) 2024-03-23 20:58:05 +01:00
localization.adoc fixed format of json (#5992) 2023-10-19 21:33:12 +02:00
localization.md Added vitepress for documentation. (#6270) 2024-03-23 20:58:05 +01:00
npm-trusted-publishing.md Require Node.js >= 25 (engines, installers, Dockerfile, snap, CI, docs) (#7749) 2026-05-15 10:04:24 +01:00
package.json build(deps-dev): bump the dev-dependencies group with 3 updates (#7759) 2026-05-15 19:24:07 +01:00
PLUGIN_FEATURE_DISABLES.md test: tag rtl_url_param toggle-off specs with @feature:rtl-toggle (#7661) 2026-05-03 13:26:50 +08:00
PLUGIN_FRONTEND_TESTS.md ci(playwright): discover plugin frontend specs (closes #7622) (#7623) 2026-04-28 06:33:43 +01:00
plugins.adoc Require Node.js >= 25 (engines, installers, Dockerfile, snap, CI, docs) (#7749) 2026-05-15 10:04:24 +01:00
plugins.md Require Node.js >= 25 (engines, installers, Dockerfile, snap, CI, docs) (#7749) 2026-05-15 10:04:24 +01:00
privacy.md feat(gdpr): author erasure (PR5 of #6701) (#7550) 2026-05-03 12:30:49 +01:00
skins.adoc feat(pad): scrub history in-place on the pad URL (#7659) (#7710) 2026-05-10 16:21:56 +01:00
skins.md feat(pad): scrub history in-place on the pad URL (#7659) (#7710) 2026-05-10 16:21:56 +01:00
stats.adoc chore: added documentation for prometheus 2025-08-25 21:13:38 +02:00
stats.md Added vitepress for documentation. (#6270) 2024-03-23 20:58:05 +01:00