Merge pull request #252 from mattmoyer/fix-csrf-cookie-same-site

Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`.
This commit is contained in:
Matt Moyer 2020-12-03 21:53:24 -06:00 committed by GitHub
commit 7b088d611d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions

View File

@ -225,7 +225,7 @@ func addCSRFSetCookieHeader(w http.ResponseWriter, csrfValue csrftoken.CSRFToken
Name: oidc.CSRFCookieName, Name: oidc.CSRFCookieName,
Value: encodedCSRFValue, Value: encodedCSRFValue,
HttpOnly: true, HttpOnly: true,
SameSite: http.SameSiteStrictMode, SameSite: http.SameSiteLaxMode,
Secure: true, Secure: true,
Path: "/", Path: "/",
}) })

View File

@ -751,7 +751,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
if test.wantCSRFValueInCookieHeader != "" { if test.wantCSRFValueInCookieHeader != "" {
require.Len(t, rsp.Header().Values("Set-Cookie"), 1) require.Len(t, rsp.Header().Values("Set-Cookie"), 1)
actualCookie := rsp.Header().Get("Set-Cookie") actualCookie := rsp.Header().Get("Set-Cookie")
regex := regexp.MustCompile("__Host-pinniped-csrf=([^;]+); Path=/; HttpOnly; Secure; SameSite=Strict") regex := regexp.MustCompile("__Host-pinniped-csrf=([^;]+); Path=/; HttpOnly; Secure; SameSite=Lax")
submatches := regex.FindStringSubmatch(actualCookie) submatches := regex.FindStringSubmatch(actualCookie)
require.Len(t, submatches, 2) require.Len(t, submatches, 2)
captured := submatches[1] captured := submatches[1]