From 447534b611a5edbd66ada9c1eb85908e6039489e Mon Sep 17 00:00:00 2001
From: C0nw0nk <C0nw0nks@googlemail.com>
Date: Wed, 28 Aug 2019 01:17:53 +0100
Subject: [PATCH] Update anti_ddos_challenge.lua

Add cors headers and include XMLHTTPREQUEST with credentials tag and remove domain tag from set-cookie to fix issue with Google Chrome. Still broken in Microsoft Edge !?
---
 lua/anti_ddos_challenge.lua | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/lua/anti_ddos_challenge.lua b/lua/anti_ddos_challenge.lua
index 5852b24..dc44960 100644
--- a/lua/anti_ddos_challenge.lua
+++ b/lua/anti_ddos_challenge.lua
@@ -418,12 +418,16 @@ local function grant_access()
 	if req_headers["x-requested-with"] == "XMLHttpRequest" then --if request header matches request type of XMLHttpRequest
 		--ngx.log(ngx.ERR, "x-auth-answer result | "..req_headers[x_auth_header_name]) --output x-auth-answer to log
 		if req_headers[x_auth_header_name] == JavascriptPuzzleVars_answer then --if the answer header provided by the browser Javascript matches what our Javascript puzzle answer should be
-			set_cookie1 = challenge.."="..cookie_value.."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --apply our uid cookie incase javascript setting this cookies time stamp correctly has issues
-			set_cookie2 = cookie_name_start_date.."="..ngx.cookie_time(currenttime).."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start date cookie
-			set_cookie3 = cookie_name_end_date.."="..ngx.cookie_time(currenttime+expire_time).."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --end date cookie
-			set_cookie4 = cookie_name_encrypted_start_and_end_date.."="..calculate_signature(remote_addr .. ngx.cookie_time(currenttime) .. ngx.cookie_time(currenttime+expire_time) ).."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start and end date combined to unique id
+			set_cookie1 = challenge.."="..cookie_value.."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --apply our uid cookie incase javascript setting this cookies time stamp correctly has issues
+			set_cookie2 = cookie_name_start_date.."="..ngx.cookie_time(currenttime).."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start date cookie
+			set_cookie3 = cookie_name_end_date.."="..ngx.cookie_time(currenttime+expire_time).."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --end date cookie
+			set_cookie4 = cookie_name_encrypted_start_and_end_date.."="..calculate_signature(remote_addr .. ngx.cookie_time(currenttime) .. ngx.cookie_time(currenttime+expire_time) ).."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start and end date combined to unique id
 
 			ngx.header["Set-Cookie"] = {set_cookie1 , set_cookie2 , set_cookie3 , set_cookie4}
+			ngx.header["Access-Control-Allow-Origin"] = "*"
+			ngx.header["Access-Control-Allow-Credentials"] = "true"
+			ngx.header["Access-Control-Allow-Methods"] = "GET, POST, PUT, HEAD"
+			ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
 		end
 	end
 
@@ -503,6 +507,7 @@ xhttp.setRequestHeader(']] .. x_auth_header_name .. [[', ]] .. JavascriptPuzzleV
 			xhttp.setRequestHeader('X-Requested-TimeStamp-Combination', '');
 			xhttp.setRequestHeader('X-Requested-Type', 'GET');
 			xhttp.setRequestHeader('X-Requested-Type-Combination', 'GET'); //Encrypted for todays date
+			xhttp.withCredentials = true;
 ]]
 
 local JavascriptPuzzleVariable = [[
@@ -527,7 +532,7 @@ local javascript_anti_ddos = [[
 			var time = now.getTime();
 			time += 300 * 1000;
 			now.setTime(time);
-			document.cookie = ']] .. challenge .. [[=]] .. answer .. [[' + '; expires=' + ']] .. ngx.cookie_time(currenttime+expire_time) .. [[' + '; domain=.]] .. domain .. [[; path=/';
+			document.cookie = ']] .. challenge .. [[=]] .. answer .. [[' + '; expires=' + ']] .. ngx.cookie_time(currenttime+expire_time) .. [[' + '; path=/';
 			//javascript puzzle for browser to figure out to get answer
 			]] .. JavascriptVars_opening .. [[
 			]] .. JavascriptPuzzleVariable .. [[
@@ -684,6 +689,10 @@ local anti_ddos_html_output = [[
 --Output Anti-DDoS Authentication Page
 --set_cookie1 = challenge.."="..answer.."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --apply our uid cookie in header here incase browsers javascript can't set cookies due to permissions.
 --ngx.header["Set-Cookie"] = {set_cookie1}
+ngx.header["Access-Control-Allow-Origin"] = "*"
+ngx.header["Access-Control-Allow-Credentials"] = "true"
+ngx.header["Access-Control-Allow-Methods"] = "GET, POST, PUT, HEAD"
+ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
 ngx.header["X-Content-Type-Options"] = "nosniff"
 ngx.header["X-Frame-Options"] = "SAMEORIGIN"
 ngx.header["X-XSS-Protection"] = "1; mode=block"