fix: set samesite mode for CSRF cookie based on security policy (#6914)

2025-08-12 11:47:34 +00:00 · 2023-11-14 11:01:59 +02:00
parent bd63fcd15d
commit 1344760369
1 changed files with 5 additions and 0 deletions
--- a/internal/api/ui/login/login.go
+++ b/internal/api/ui/login/login.go
@@ -130,11 +130,16 @@ func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecu
 				handler.ServeHTTP(w, r)
 				return
 			}
+			sameSiteMode := csrf.SameSiteLaxMode
+			if len(authz.GetInstance(r.Context()).SecurityPolicyAllowedOrigins()) > 0 {
+				sameSiteMode = csrf.SameSiteNoneMode
+			}
 			csrf.Protect(csrfCookieKey,
 				csrf.Secure(externalSecure),
 				csrf.CookieName(http_utils.SetCookiePrefix(cookieName, "", path, externalSecure)),
 				csrf.Path(path),
 				csrf.ErrorHandler(errorHandler),
+				csrf.SameSite(sameSiteMode),
 			)(handler).ServeHTTP(w, r)
 		})
 	}