TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-14 03:54:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: set samesite mode for CSRF cookie based on security policy (#6914)

Browse Source 
(cherry picked from commit 1344760369)
This commit is contained in:
Livio Spring 2023-11-14 11:01:59 +02:00
parent 18788b6045
commit 5af3298414
No known key found for this signature in database
GPG Key ID: 26BB1C2FA5952CF0
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
internal/api/ui/login/login.go
View File

@ -130,11 +130,16 @@ func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecu
handler.ServeHTTP(w, r)
return
}
sameSiteMode := csrf.SameSiteLaxMode
if len(authz.GetInstance(r.Context()).SecurityPolicyAllowedOrigins()) > 0 {
sameSiteMode = csrf.SameSiteNoneMode
}
csrf.Protect(csrfCookieKey,
csrf.Secure(externalSecure),
csrf.CookieName(http_utils.SetCookiePrefix(cookieName, "", path, externalSecure)),
csrf.Path(path),
csrf.ErrorHandler(errorHandler),
csrf.SameSite(sameSiteMode),
)(handler).ServeHTTP(w, r)
})
}