safari: workaround another apple bug (closes #1111);

seemingly as of iOS / macos 26.1, safari started requesting
favicons -- specifically only favicons -- with the incorrect
browser context (they probably forgot to initialize something)

instead of the correct user-agent, it would send:
* iOS: NetworkingExtension/8623.1.14.10.9
* macos: com.apple.WebKit.Networking/21623.1.14.11.9

further, it would NOT send any SameSite=Strict cookies,
which the session-cookie is (for good reason)

putting these two together, safari now looks like a webdav client,
and copyparty sends the only appropriate response (http 401),
resulting in a basic-authentication popup

left with no good options, this is what we can do to mitigate:

* add a new option --ua-nodav which is a regex of user-agents
   which are definitely not webdav clients, as macos-finder still
   flipflops between WebDAVLib/1.3 and WebDAVFS/3.0.0 like normal

* use the "js=y" cookie as another flag that this is a webbrowser

merry christmas

copyparty/__main__.py

@@ -1439,7 +1439,8 @@ def add_webdav(ap):
     ap2.add_argument("--dav-mac", action="store_true", help="disable apple-garbage filter -- allow macos to create junk files (._* and .DS_Store, .Spotlight-*, .fseventsd, .Trashes, .AppleDouble, __MACOS)")
     ap2.add_argument("--dav-rt", action="store_true", help="show symlink-destination's lastmodified instead of the link itself; always enabled for recursive listings (volflag=davrt)")
     ap2.add_argument("--dav-auth", action="store_true", help="force auth for all folders (required by davfs2 when only some folders are world-readable) (volflag=davauth)")
-    ap2.add_argument("--dav-ua1", metavar="PTN", type=u, default=r" kioworker/", help="regex of tricky user-agents which expect 401 from GET requests; disable with [\033[32mno\033[0m] or blank")
+    ap2.add_argument("--dav-ua1", metavar="PTN", type=u, default=r" kioworker/", help="regex of user-agents which ARE webdav-clients, and expect 401 from GET requests; disable with [\033[32mno\033[0m] or blank")
+    ap2.add_argument("--ua-nodav", metavar="PTN", type=u, default=r"^(Mozilla/|NetworkingExtension/|com\.apple\.WebKit)", help="regex of user-agents which are NOT webdav-clients")
 
 
 def add_tftp(ap):

copyparty/httpcli.py

@@ -5466,7 +5466,7 @@ class HttpCli(object):
     def setck(self) -> bool:
         k, v = self.uparam["setck"].split("=", 1)
         t = 0 if v in ("", "x") else 86400 * 299
-        ck = gencookie(k, v, self.args.R, self.args.cookie_lax, False, t)
+        ck = gencookie(k, v, self.args.R, True, False, t)
         self.out_headerlist.append(("Set-Cookie", ck))
         if "cc" in self.ouparam:
             self.redirect("", "?h#cc")
@@ -5478,7 +5478,7 @@ class HttpCli(object):
         for k in ALL_COOKIES:
             if k not in self.cookies:
                 continue
-            cookie = gencookie(k, "x", self.args.R, self.args.cookie_lax, False)
+            cookie = gencookie(k, "x", self.args.R, True, False)
             self.out_headerlist.append(("Set-Cookie", cookie))
 
         self.redirect("", "?h#cc")
@@ -5512,8 +5512,9 @@ class HttpCli(object):
             rc == 403
             and self.uname == "*"
             and "sec-fetch-site" not in self.headers
+            and self.cookies.get("js") != "y"
             and (
-                not self.ua.startswith("Mozilla/")
+                not self.args.ua_nodav.search(self.ua)
                 or (self.args.dav_ua1 and self.args.dav_ua1.search(self.ua))
             )
         ):

copyparty/svchub.py

@@ -1088,7 +1088,7 @@ class SvcHub(object):
             vsa = [x.lower() for x in vsa if x]
             setattr(al, k + "_set", set(vsa))
 
-        zs = "dav_ua1 sus_urls nonsus_urls ua_nodoc ua_nozip"
+        zs = "dav_ua1 sus_urls nonsus_urls ua_nodav ua_nodoc ua_nozip"
         for k in zs.split(" "):
             vs = getattr(al, k)
             if not vs or vs == "no":