From 06ff0230474f9c3b5baa4e5827b897f42fe16213 Mon Sep 17 00:00:00 2001
From: Stefan <mu.stefan@googlemail.com>
Date: Wed, 8 Jun 2016 21:14:10 +0200
Subject: [PATCH] Add secure flag to cookies on client side if pad accessed
 through https

---
 src/static/js/pad_cookie.js | 7 ++++++-
 src/static/js/pad_utils.js  | 7 +++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/static/js/pad_cookie.js b/src/static/js/pad_cookie.js
index 9866dbfd..b563a7e6 100644
--- a/src/static/js/pad_cookie.js
+++ b/src/static/js/pad_cookie.js
@@ -43,7 +43,8 @@ var padcookie = (function()
   {
     var expiresDate = new Date();
     expiresDate.setFullYear(3000);
-    document.cookie = ('prefs=' + safeText + ';expires=' + expiresDate.toGMTString());
+    var secure = isHttpsScheme() ? ";secure" : "";
+    document.cookie = ('prefs=' + safeText + ';expires=' + expiresDate.toGMTString() + secure);
   }
 
   function parseCookie(text)
@@ -79,6 +80,10 @@ var padcookie = (function()
       alreadyWarnedAboutNoCookies = true;
     }
   }
+  
+  function isHttpsScheme() {
+    return window.location.protocol == "https:";
+  }
 
   var wasNoCookie = true;
   var cookieData = {};
diff --git a/src/static/js/pad_utils.js b/src/static/js/pad_utils.js
index 5a7700c9..eafa14bb 100644
--- a/src/static/js/pad_utils.js
+++ b/src/static/js/pad_utils.js
@@ -53,13 +53,16 @@ function createCookie(name, value, days, path){ /* Used by IE */
   if(!path){ // IF the Path of the cookie isn't set then just create it on root
     path = "/";
   }
+  
+  //Check if we accessed the pad over https
+  var secure = window.location.protocol == "https:" ? ";secure" : "";
 
   //Check if the browser is IE and if so make sure the full path is set in the cookie
   if((navigator.appName == 'Microsoft Internet Explorer') || ((navigator.appName == 'Netscape') && (new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})").exec(navigator.userAgent) != null))){
-    document.cookie = name + "=" + value + expires + "; path=/"; /* Note this bodge fix for IE is temporary until auth is rewritten */
+    document.cookie = name + "=" + value + expires + "; path=/" + secure; /* Note this bodge fix for IE is temporary until auth is rewritten */
   }
   else{
-    document.cookie = name + "=" + value + expires + "; path=" + path;
+    document.cookie = name + "=" + value + expires + "; path=" + path + secure;
   }
 
 }