TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-12 02:54:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: set samesite to none for user agent cookie for iframe usage (#6162)

Browse Source 
Co-authored-by: Fabi <fabienne@zitadel.com>
This commit is contained in:
Livio Spring 2023-07-10 07:51:56 +02:00 committed by GitHub
parent 48bda9aa07
commit 5cba5cd635
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
internal/api/http/cookie.go
View File

@ -111,7 +111,7 @@ func (c *CookieHandler) SetCookie(w http.ResponseWriter, name, domain, value str
c.httpSet(w, name, domain, value, c.maxAge)
}
func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain string, value interface{}) error {
func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain string, value interface{}, sameSiteNone bool) error {
if c.securecookie == nil {
return errors.ThrowInternal(nil, "HTTP-s2HUtx", "securecookie not configured")
}
@ -119,7 +119,11 @@ func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name, domain s
if err != nil {
return err
}
c.httpSet(w, name, domain, encoded, c.maxAge)
sameSite := c.sameSite
if sameSiteNone {
sameSite = http.SameSiteNoneMode
}
c.httpSetWithSameSite(w, name, domain, encoded, c.maxAge, sameSite)
return nil
}
@ -128,6 +132,10 @@ func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string) {
}
func (c *CookieHandler) httpSet(w http.ResponseWriter, name, domain, value string, maxage int) {
c.httpSetWithSameSite(w, name, domain, value, maxage, c.sameSite)
}
func (c *CookieHandler) httpSetWithSameSite(w http.ResponseWriter, name, domain, value string, maxage int, sameSite http.SameSite) {
http.SetCookie(w, &http.Cookie{
Name: SetCookiePrefix(name, domain, c.path, c.secureOnly),
Value: value,
@ -136,7 +144,7 @@ func (c *CookieHandler) httpSet(w http.ResponseWriter, name, domain, value strin
MaxAge: maxage,
HttpOnly: c.httpOnly,
Secure: c.secureOnly,
SameSite: c.sameSite,
SameSite: sameSite,
})
varyValues := w.Header().Values("vary")
for _, vary := range varyValues {

12
internal/api/http/middleware/user_agent_cookie.go
View File

@ -6,6 +6,9 @@ import (
"strings"
"time"
"github.com/zitadel/logging"
"github.com/zitadel/zitadel/internal/api/authz"
http_utils "github.com/zitadel/zitadel/internal/api/http"
"github.com/zitadel/zitadel/internal/errors"
"github.com/zitadel/zitadel/internal/id"
@ -71,8 +74,11 @@ func (ua *userAgentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
if err == nil {
ctx := context.WithValue(r.Context(), userAgentKey, agent.ID)
instance := authz.GetInstance(r.Context())
allowedHosts := instance.SecurityPolicyAllowedOrigins()
r = r.WithContext(ctx)
ua.setUserAgent(w, r.Host, agent)
err = ua.setUserAgent(w, r.Host, agent, len(allowedHosts) > 0)
logging.WithFields("instanceID", instance.InstanceID()).OnError(err).Error("unable to set user agent cookie")
}
ua.nextHandler.ServeHTTP(w, r)
}
@ -94,8 +100,8 @@ func (ua *userAgentHandler) getUserAgent(r *http.Request) (*UserAgent, error) {
return userAgent, nil
}
func (ua *userAgentHandler) setUserAgent(w http.ResponseWriter, host string, agent *UserAgent) error {
err := ua.cookieHandler.SetEncryptedCookie(w, ua.cookieName, host, agent)
func (ua *userAgentHandler) setUserAgent(w http.ResponseWriter, host string, agent *UserAgent, iframe bool) error {
err := ua.cookieHandler.SetEncryptedCookie(w, ua.cookieName, host, agent, iframe)
if err != nil {
return errors.ThrowPermissionDenied(err, "HTTP-AqgqdA", "cannot set user agent cookie")
}