ContainerImage.Pinniped

History

Matt Moyer f0ebd808d7 Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`. This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1]. We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode. [1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2 Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 21:30:00 -06:00
..
auth_handler_test.go	Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`.	2020-12-03 21:30:00 -06:00
auth_handler.go	Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`.	2020-12-03 21:30:00 -06:00

Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax.

This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1].

We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode.

[1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>

2020-12-03 21:30:00 -06:00

auth_handler_test.go Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax. 2020-12-03 21:30:00 -06:00

auth_handler.go Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax. 2020-12-03 21:30:00 -06:00