From 42455b19ff973db2728f9289cae3091c39d1f82d Mon Sep 17 00:00:00 2001
From: Patrik Dufresne <info@patrikdufresne.com>
Date: Thu, 21 Oct 2021 06:54:06 -0400
Subject: [PATCH] Skip SameSite=Lax is cookie is not defined

---
 rdiffweb/controller/dispatch.py               | 2 +-
 rdiffweb/controller/filter_authentication.py  | 3 ++-
 rdiffweb/controller/tests/test_check_links.py | 4 ++++
 rdiffweb/controller/tests/test_csrf.py        | 8 ++++++++
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/rdiffweb/controller/dispatch.py b/rdiffweb/controller/dispatch.py
index 0ef2f465..6a313efe 100644
--- a/rdiffweb/controller/dispatch.py
+++ b/rdiffweb/controller/dispatch.py
@@ -124,7 +124,7 @@ def static(path):
         content_type = mimetypes.types_map.get(ext, None)  # @UndefinedVariable
 
     @cherrypy.expose
-    @cherrypy.config(**{'tools.authform.on': False})
+    @cherrypy.config(**{'tools.authform.on': False, 'tools.sessions.on': False})
     def handler(*args, **kwargs):
         if cherrypy.request.method not in ('GET', 'HEAD'):
             return None
diff --git a/rdiffweb/controller/filter_authentication.py b/rdiffweb/controller/filter_authentication.py
index aac68cf7..5adc7ba8 100644
--- a/rdiffweb/controller/filter_authentication.py
+++ b/rdiffweb/controller/filter_authentication.py
@@ -257,7 +257,8 @@ def _set_same_site(self):
         # https://github.com/cherrypy/cherrypy/issues/1767
         # Force SameSite to Lax
         cookie = cherrypy.serving.response.cookie.get('session_id', None)
-        cookie['samesite'] = 'Lax'
+        if cookie:
+            cookie['samesite'] = 'Lax'
 
     def run(self):
         if cherrypy.request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
diff --git a/rdiffweb/controller/tests/test_check_links.py b/rdiffweb/controller/tests/test_check_links.py
index f284d7a4..ef46a10d 100644
--- a/rdiffweb/controller/tests/test_check_links.py
+++ b/rdiffweb/controller/tests/test_check_links.py
@@ -42,9 +42,13 @@ def test_links(self):
         todo = OrderedDict()
         todo["/"] = "/"
         self.getPage("/")
+        # Store the original cookie since it get replace during execution.
+        self.assertIsNotNone(self.cookies)
+        cookies = self.cookies
         while todo:
             page, ref = todo.popitem(last=False)
             # Query page
+            self.cookies = cookies
             self.getPage(page)
             # Check status
             self.assertStatus('200 OK', "can't access page [%s] referenced by [%s]" % (page, ref))
diff --git a/rdiffweb/controller/tests/test_csrf.py b/rdiffweb/controller/tests/test_csrf.py
index 7e09b53c..80c1fb32 100644
--- a/rdiffweb/controller/tests/test_csrf.py
+++ b/rdiffweb/controller/tests/test_csrf.py
@@ -32,6 +32,14 @@ def test_samesite_lax(self):
         cookie = self.assertHeader('Set-Cookie')
         self.assertIn('SameSite=Lax', cookie)
 
+    def test_samesite_lax_without_session(self):
+        # Given not a client sending no cookie
+        self.cookies = None
+        # When a query is made to a static path (without session)
+        self.getPage('/static/blue.css')
+        # Then Set-Cookie is not defined.
+        self.assertNoHeader('Set-Cookie')
+
     def test_get_with_wrong_origin(self):
         # Given a GET request made to rdiffweb
         # When the request is made using a different origin