From 22f1777c1c1bd7fdb8cac86c63ec17b9cf7a1a7f Mon Sep 17 00:00:00 2001
From: Gwendolyn <me@gwendolyn.dev>
Date: Mon, 11 Dec 2023 19:10:49 +0100
Subject: [PATCH] add samesite=strict for tile cookie

---
 src/c3nav/mapdata/views.py | 3 ++-
 src/c3nav/settings.py      | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/c3nav/mapdata/views.py b/src/c3nav/mapdata/views.py
index 8a9f83b9..656d13e5 100644
--- a/src/c3nav/mapdata/views.py
+++ b/src/c3nav/mapdata/views.py
@@ -28,7 +28,8 @@ def set_tile_access_cookie(request, response):
         response.set_cookie(settings.TILE_ACCESS_COOKIE_NAME, cookie, max_age=60,
                             domain=settings.TILE_ACCESS_COOKIE_DOMAIN,
                             httponly=settings.TILE_ACCESS_COOKIE_HTTPONLY,
-                            secure=settings.TILE_ACCESS_COOKIE_SECURE)
+                            secure=settings.TILE_ACCESS_COOKIE_SECURE,
+                            samesite=settings.TILE_ACCESS_COOKIE_SAMESITE)
     else:
         response.delete_cookie(settings.TILE_ACCESS_COOKIE_NAME)
     response['Cache-Control'] = 'no-cache'
diff --git a/src/c3nav/settings.py b/src/c3nav/settings.py
index fbd9344d..ecdbd6b8 100644
--- a/src/c3nav/settings.py
+++ b/src/c3nav/settings.py
@@ -302,6 +302,7 @@ TILE_ACCESS_COOKIE_NAME = 'c3nav_tile_access'
 TILE_ACCESS_COOKIE_DOMAIN = config.get('c3nav', 'tile_access_cookie_domain', fallback=None)
 TILE_ACCESS_COOKIE_HTTPONLY = True
 TILE_ACCESS_COOKIE_SECURE = not DEBUG
+TILE_ACCESS_COOKIE_SAMESITE = 'strict'
 
 
 # Application definition