From 5af3298414952349ec21eb95e7080681ff28cb88 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Tue, 14 Nov 2023 11:01:59 +0200
Subject: [PATCH] fix: set samesite mode for CSRF cookie based on security
 policy (#6914)

(cherry picked from commit 13447603694c365851ed002e6cb0a6a809ce28f6)
---
 internal/api/ui/login/login.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/api/ui/login/login.go b/internal/api/ui/login/login.go
index fcda0252d6..9c41bc61e9 100644
--- a/internal/api/ui/login/login.go
+++ b/internal/api/ui/login/login.go
@@ -130,11 +130,16 @@ func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecu
 				handler.ServeHTTP(w, r)
 				return
 			}
+			sameSiteMode := csrf.SameSiteLaxMode
+			if len(authz.GetInstance(r.Context()).SecurityPolicyAllowedOrigins()) > 0 {
+				sameSiteMode = csrf.SameSiteNoneMode
+			}
 			csrf.Protect(csrfCookieKey,
 				csrf.Secure(externalSecure),
 				csrf.CookieName(http_utils.SetCookiePrefix(cookieName, "", path, externalSecure)),
 				csrf.Path(path),
 				csrf.ErrorHandler(errorHandler),
+				csrf.SameSite(sameSiteMode),
 			)(handler).ServeHTTP(w, r)
 		})
 	}