Add support for download share on old android browser

[j3l11234]

In old android browser, The browser can't follow the cookies, but the browser's downloader can't follow cookies. So I skip the sameSite check when download share

__Host-nc_sameSiteCookielax=true;
__Host-nc_sameSiteCookiestrict=true

[kesselb]

Thanks for this contribution 👍

In old android browser,

Could you elaborate? How can I test this change?

[j3l11234]

Thanks for this contribution 👍

In old android browser,

Could you elaborate? How can I test this change?

OK，My Phone is OPPO R9m / Android 5.1 , I use the browser that comes with the system. I use proxy to monitor network
It can show the share page. The request has the sameSite cookies.
But when I click the download, It show the download panel, but cant start the download. I see many many 302 with the set-cookies. The browser's downloader just follow the 302, but not follow the set-cookies of sameSite.

[rullzer]

I need to think about this.
But I'm not a fan of dropping security related things for an obscure old android browser.

[j3l11234]

I need to think about this.
But I'm not a fan of dropping security related things for an obscure old android browser.

In fact is not old android browser. In my Android 10, many browser app has the same problem. such as UC
I think when download the public share, who has the share key should can download freely. ( In publish share page, should not rely on cookies )

[rullzer]

Only partly true of course. With password protected public links we should rely on cookies.
In that case we should for sure require the samesite cookies.

I'll dive into this a bit later

[j3l11234]

Only partly true of course. With password protected public links we should rely on cookies.
In that case we should for sure require the samesite cookies.

I'll dive into this a bit later

The purpose of 'nc_sameSiteCookie*' is want to protect logout CSRF. I think the checking (check 'nc_sameSiteCookie*' and set it if it doesn't exist. the module is SameSiteCookieMiddleware) should not be apply to the 'downloadShare' func.
Actually when visit the share page, the 'nc_sameSiteCookie*' must has been set.
Actually when we always set the cookies with SameSite.

[j3l11234]

@rullzer What's going on？

[rullzer]

So I took another look at this, your issues seems valid if you use any kind of download manager indeed.

However to fully merge this and thus ignore the samesitecookie. I'l like to make sure this uses full appframework code. So that we have real file download responses with all the security checks that that adds. I'll see if I can fix that early next week.

[nickvergessen]

🐘

[blizzz]

🐘

[welcome]

Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22