From f4cc22969df12701101a1ce4c7b35af4791ee43c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Mon, 23 Aug 2021 16:15:52 +0200
Subject: [PATCH] Set SameSite=none when embedding into frames is allowed

Resolves #4428
---
 .../files/lib/system/session/SessionHandler.class.php      | 4 ++++
 wcfsetup/install/files/lib/util/HeaderUtil.class.php       | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index d51d8229b3..a5f07047be 100644
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -498,6 +498,10 @@ final class SessionHandler extends SingletonFactory
                 $sameSite = '; SameSite=strict';
             }
 
+            if (!HTTP_SEND_X_FRAME_OPTIONS) {
+                $sameSite = '; SameSite=none';
+            }
+
             \header(
                 'set-cookie: XSRF-TOKEN=' . \rawurlencode($xsrfToken) . '; path=/' . $cookieDomain . (RouteHandler::secureConnection() ? '; secure' : '') . $sameSite,
                 false
diff --git a/wcfsetup/install/files/lib/util/HeaderUtil.class.php b/wcfsetup/install/files/lib/util/HeaderUtil.class.php
index 8c62084ba2..b0664b6218 100644
--- a/wcfsetup/install/files/lib/util/HeaderUtil.class.php
+++ b/wcfsetup/install/files/lib/util/HeaderUtil.class.php
@@ -41,11 +41,16 @@ final class HeaderUtil
     {
         $cookieDomain = self::getCookieDomain();
 
+        $sameSite = '';
+        if (!HTTP_SEND_X_FRAME_OPTIONS) {
+            $sameSite = '; SameSite=none';
+        }
+
         @\header(
             'Set-Cookie: ' . \rawurlencode(COOKIE_PREFIX . $name) . '=' . \rawurlencode((string)$value) . ($expire ? '; expires=' . \gmdate(
                 'D, d-M-Y H:i:s',
                 $expire
-            ) . ' GMT; max-age=' . ($expire - TIME_NOW) : '') . '; path=/' . ($cookieDomain !== null ? '; domain=' . $cookieDomain : '') . (RouteHandler::secureConnection() ? '; secure' : '') . '; HttpOnly',
+            ) . ' GMT; max-age=' . ($expire - TIME_NOW) : '') . '; path=/' . ($cookieDomain !== null ? '; domain=' . $cookieDomain : '') . (RouteHandler::secureConnection() ? '; secure' : '') . $sameSite . '; HttpOnly',
             false
         );
     }
-- 
2.20.1