Add SameSite #8
No reviewers
Labels
No Label
kind/breaking
kind/bug
kind/deployment
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/proposal
kind/question
kind/security
kind/testing
kind/translation
kind/ui
lgtm/done
lgtm/need
lgtm/need
priority/critical
priority/low
priority/maybe
priority/medium
refactor
reviewed/duplicate
reviewed/invalid
reviewed/wontfix
status/blocked
status/needs-feedback
status/wip
No Milestone
No Assignees
3 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: macaron/csrf#8
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "zeripath/csrf:add-samesite"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Signed-off-by: Andrew Thornton art27@cantab.net
@ -228,3 +233,3 @@
x.Token = GenerateToken(x.Secret, x.ID, "POST")
if opt.SetCookie {
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, opt.CookieDomain, opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, opt.CookieDomain, opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1), cookie.SameSite(opt.SameSite))
Unrelated, but can you maybe add an option for
Expires
(hardcoded to 24h here)?I've added the option to set the cookie lifetime - we can set it to 24hours in Gitea.
Thanks. I think we should actually match it to the session cookies lifetime.
Actually I think you misunderstood. I was talking about the
http.Cookie.Expires
(8th argument to SetCookie). What you exposed ishttp.Cookie.MaxAge
(don't think we'll need it).Only one of the two should be set. If both are present, MaxAge has precedence.
https://golang.org/src/net/http/cookie.go
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Oh yeah I see.
Which would you prefer MaxAge or Expires
👍
CI fail :/
@ -44,2 +45,4 @@
// Return the flag value used for the csrf token.
GetCookieHttpOnly() bool
// Return the SameSite setting for the csrf token.
GetSameSite() http.SameSite
drop these two
done!