From e95647ab4ea1d2b21acd03784ed5de4e3c363305 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=8A=A0=E8=97=A4=20=E6=9C=97?= <kato.kaisya@gmail.com>
Date: Fri, 6 Dec 2024 12:39:36 +0900
Subject: [PATCH] =?UTF-8?q?fix=20#4067=20Cookie=EF=BC=88csrfToken=EF=BC=89?=
 =?UTF-8?q?=E3=81=ABsecure=E5=B1=9E=E6=80=A7=E3=81=8C=E4=BB=98=E3=81=8B?=
 =?UTF-8?q?=E3=81=AA=E3=81=84=E5=95=8F=E9=A1=8C=E3=82=92=E8=A7=A3=E6=B1=BA?=
 =?UTF-8?q?=20(#4068)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: kato <kato@e-catchup.jp>
Co-authored-by: ryuring <egashira@catchup.co.jp>
---
 src/Application.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/Application.php b/src/Application.php
index c4a2b3fa6b..5415ec0658 100644
--- a/src/Application.php
+++ b/src/Application.php
@@ -64,6 +64,12 @@ public function bootstrap(): void
      */
     public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
     {
+        $csrfProtectionMiddlewareOptions = ['httponly' => true];
+        //リクエストがhttpsならcsrfTokenにもsecureヘッダを付与
+        $sessionConfig = (array) Configure::read('Session');
+        if (!empty($sessionConfig['ini']['session.cookie_secure']) || (int) ini_get('session.cookie_secure') === 1) {
+            $csrfProtectionMiddlewareOptions['secure'] =  true;
+        }
         $middlewareQueue
             // Catch any exceptions in the lower layers,
             // and make an error page/response
@@ -87,9 +93,7 @@ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
 
             // Cross Site Request Forgery (CSRF) Protection Middleware
             // https://book.cakephp.org/5/en/security/csrf.html#cross-site-request-forgery-csrf-middleware
-            ->add(new CsrfProtectionMiddleware([
-                'httponly' => true,
-            ]));
+            ->add(new CsrfProtectionMiddleware($csrfProtectionMiddlewareOptions));
 
         return $middlewareQueue;
     }