mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-14 20:08:02 +00:00
fix: set samesite mode for CSRF cookie based on security policy (#6914)
(cherry picked from commit 1344760369
)
This commit is contained in:
parent
18788b6045
commit
5af3298414
@ -130,11 +130,16 @@ func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecu
|
||||
handler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
sameSiteMode := csrf.SameSiteLaxMode
|
||||
if len(authz.GetInstance(r.Context()).SecurityPolicyAllowedOrigins()) > 0 {
|
||||
sameSiteMode = csrf.SameSiteNoneMode
|
||||
}
|
||||
csrf.Protect(csrfCookieKey,
|
||||
csrf.Secure(externalSecure),
|
||||
csrf.CookieName(http_utils.SetCookiePrefix(cookieName, "", path, externalSecure)),
|
||||
csrf.Path(path),
|
||||
csrf.ErrorHandler(errorHandler),
|
||||
csrf.SameSite(sameSiteMode),
|
||||
)(handler).ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user