From 1dc8b24665bfe65ef6696468235f5698e4195899 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Fri, 16 Apr 2021 20:15:12 +0200
Subject: [PATCH 1/5] transmit cookie only over HTTPS, fixes #472

---
 CHANGELOG.md       | 1 +
 js/privatebin.js   | 2 +-
 lib/Controller.php | 4 ++--
 tpl/bootstrap.php  | 2 +-
 tpl/page.php       | 2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7276c84e..00f5f21c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
   * **1.4 (not yet released)**
     * ADDED: Translation for Estonian
     * ADDED: new HTTP headers improving security (#765)
+    * CHANGED: Language selection cookie only transmitted over HTTPS (#472)
   * **1.3.5 (2021-04-05)**
     * ADDED: Translation for Hebrew, Lithuanian, Indonesian and Catalan
     * ADDED: Make the project info configurable (#681)
diff --git a/js/privatebin.js b/js/privatebin.js
index e549dd61..05199701 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -3676,7 +3676,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         function setLanguage(event)
         {
-            document.cookie = 'lang=' + $(event.target).data('lang');
+            document.cookie = 'lang=' + $(event.target).data('lang') + ';secure';
             UiHelper.reloadHome();
         }
 
diff --git a/lib/Controller.php b/lib/Controller.php
index bc23a52a..5b81cd89 100644
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -170,7 +170,7 @@ class Controller
         // force default language, if language selection is disabled and a default is set
         if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) {
             $_COOKIE['lang'] = $lang;
-            setcookie('lang', $lang);
+            setcookie('lang', $lang, 0, '', '', true);
         }
     }
 
@@ -367,7 +367,7 @@ class Controller
         $languageselection = '';
         if ($this->_conf->getKey('languageselection')) {
             $languageselection = I18n::getLanguage();
-            setcookie('lang', $languageselection);
+            setcookie('lang', $languageselection, 0, '', '', true);
         }
 
         $page = new View;
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index ffea8720..f8f94446 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.2.7.js" integrity="sha512-7Ka1I/nJuR2CL8wzIS5PJS4HgEMd0HJ6kfAl6fFhwFBB27rhztFbe0tS+Ex+Qg+5n4nZIT4lty4k4Di3+X9T4A==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/7gEqgCgQA9cgLUf5rBj+nfJptVm92LAYxvBN7mmeG+xkq9lQ+eY7DWQY47TGXXA7HqkCwk7424mnBiYZvCAUQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-BAc7Bcew+3hIQ84bibDMcMjr5ShiJU0jUnHX4x14ySB7yq/dh+LsbMobBOCBJbOWsndK0sDxpIeA3kWMW0/lrQ==" crossorigin="anonymous"></script>
 		<!-- icon -->
 		<link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" />
diff --git a/tpl/page.php b/tpl/page.php
index e58617d1..a2272326 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.2.7.js" integrity="sha512-7Ka1I/nJuR2CL8wzIS5PJS4HgEMd0HJ6kfAl6fFhwFBB27rhztFbe0tS+Ex+Qg+5n4nZIT4lty4k4Di3+X9T4A==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/7gEqgCgQA9cgLUf5rBj+nfJptVm92LAYxvBN7mmeG+xkq9lQ+eY7DWQY47TGXXA7HqkCwk7424mnBiYZvCAUQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-BAc7Bcew+3hIQ84bibDMcMjr5ShiJU0jUnHX4x14ySB7yq/dh+LsbMobBOCBJbOWsndK0sDxpIeA3kWMW0/lrQ==" crossorigin="anonymous"></script>
 		<!-- icon -->
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />

From 6f3bb25b092cf33160d1a8d2071f7ca4e5cedcaa Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Fri, 16 Apr 2021 20:25:50 +0200
Subject: [PATCH 2/5] disable Google FloC

---
 lib/Controller.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/Controller.php b/lib/Controller.php
index bc23a52a..bfa29b1d 100644
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -349,6 +349,7 @@ class Controller
         header('Cross-Origin-Resource-Policy: same-origin');
         header('Cross-Origin-Embedder-Policy: require-corp');
         header('Cross-Origin-Opener-Policy: same-origin');
+        header('Permissions-Policy: interest-cohort=()');
         header('Referrer-Policy: no-referrer');
         header('X-Content-Type-Options: nosniff');
         header('X-Frame-Options: deny');

From fd7d05e8624b9a8293496ace80ed437ccd02f88d Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Fri, 16 Apr 2021 22:03:02 +0200
Subject: [PATCH 3/5] Add base URL as default CSP restriction

This follows an [HTTP Observatory recommendation](https://observatory.mozilla.org/analyze/privatebin.net):
> Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins.

Given we don't use that anywhere, this safe should be safe. (not tested practically though)
---
 cfg/conf.sample.php   | 2 +-
 lib/Configuration.php | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php
index e958c88d..570503ce 100644
--- a/cfg/conf.sample.php
+++ b/cfg/conf.sample.php
@@ -87,7 +87,7 @@ languageselection = false
 ;   async functions and display an error if not and for Chrome to enable
 ;   webassembly support (used for zlib compression). You can remove it if Chrome
 ;   doesn't need to be supported and old browsers don't need to be warned.
-; cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+; cspheader = "default-src 'none'; base-uri 'self'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
 
 ; stay compatible with PrivateBin Alpha 0.19, less secure
 ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
diff --git a/lib/Configuration.php b/lib/Configuration.php
index 2a326caf..741ab7c9 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -55,7 +55,7 @@ class Configuration
             'urlshortener'             => '',
             'qrcode'                   => true,
             'icon'                     => 'identicon',
-            'cspheader'                => 'default-src \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
+            'cspheader'                => 'default-src \'none\'; base-uri \'self\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
             'zerobincompatibility'     => false,
             'httpwarning'              => true,
             'compression'              => 'zlib',
@@ -265,3 +265,4 @@ class Configuration
         return $this->_configuration[$section];
     }
 }
+

From 7b7a32c0a734b53ca2c7276410759390ea308189 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 17 Apr 2021 08:20:08 +0200
Subject: [PATCH 4/5] apply StyleCI recommendation

---
 lib/Configuration.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/Configuration.php b/lib/Configuration.php
index 741ab7c9..426cd158 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -265,4 +265,3 @@ class Configuration
         return $this->_configuration[$section];
     }
 }
-

From 5f4200c721be070162981878dff30ade1bcde89f Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 17 Apr 2021 08:39:35 +0200
Subject: [PATCH 5/5] document change

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00f5f21c..b3278931 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
   * **1.4 (not yet released)**
     * ADDED: Translation for Estonian
     * ADDED: new HTTP headers improving security (#765)
+    * ADDED: Opt-out of federated learning of cohorts (FLoC) (#776)
     * CHANGED: Language selection cookie only transmitted over HTTPS (#472)
   * **1.3.5 (2021-04-05)**
     * ADDED: Translation for Hebrew, Lithuanian, Indonesian and Catalan