TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 09:57:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: set samesite to none for user agent cookie for iframe usage (#6162)

Browse Source 
Co-authored-by: Fabi <fabienne@zitadel.com>
This commit is contained in:
Livio Spring
2023-07-10 07:51:56 +02:00
committed by GitHub
parent 48bda9aa07
commit 5cba5cd635
2 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
internal/api/http/cookie.go
View File

@@ -111,7 +111,7 @@ func (c *CookieHandler) SetCookie(w http.ResponseWriter, name, domain, value str
c.httpSet(w, name, domain, value, c.maxAge)
}
func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain string, value interface{}) error {
func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain string, value interface{}, sameSiteNone bool) error {
if c.securecookie == nil {
return errors.ThrowInternal(nil, "HTTP-s2HUtx", "securecookie not configured")
}
@@ -119,7 +119,11 @@ func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain s
if err != nil {
return err
}
c.httpSet(w, name, domain, encoded, c.maxAge)
sameSite := c.sameSite
if sameSiteNone {
sameSite = http.SameSiteNoneMode
}
c.httpSetWithSameSite(w, name, domain, encoded, c.maxAge, sameSite)
return nil
}
@@ -128,6 +132,10 @@ func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string) {
}
func (c *CookieHandler) httpSet(w http.ResponseWriter, name, domain, value string, maxage int) {
c.httpSetWithSameSite(w, name, domain, value, maxage, c.sameSite)
}
func (c *CookieHandler) httpSetWithSameSite(w http.ResponseWriter, name, domain, value string, maxage int, sameSite http.SameSite) {
http.SetCookie(w, &http.Cookie{
Name: SetCookiePrefix(name, domain, c.path, c.secureOnly),
Value: value,
@@ -136,7 +144,7 @@ func (c *CookieHandler) httpSet(w http.ResponseWriter, name, domain, value strin
MaxAge: maxage,
HttpOnly: c.httpOnly,
Secure: c.secureOnly,
SameSite: c.sameSite,
SameSite: sameSite,
})
varyValues := w.Header().Values("vary")
for _, vary := range varyValues {