fix: enable iframe use on http://localhost (#7152)

* fix: enable iframe use on http://localhost * docs(iframe): add info about cookies * improve comments
2025-08-12 04:57:33 +00:00 · 2024-01-16 11:28:56 +01:00
parent 2ccb7baf85
commit 96d0291848
4 changed files with 47 additions and 20 deletions
--- a/internal/api/ui/login/login.go
+++ b/internal/api/ui/login/login.go
@@ -8,6 +8,7 @@ import (

 	"github.com/gorilla/csrf"
 	"github.com/gorilla/mux"
+
 	"github.com/zitadel/zitadel/feature"
 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
@@ -122,13 +123,21 @@ func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecu
 				handler.ServeHTTP(w, r)
 				return
 			}
+			// by default we use SameSite Lax and the externalSecure (TLS) for the secure flag
 			sameSiteMode := csrf.SameSiteLaxMode
-			if len(authz.GetInstance(r.Context()).SecurityPolicyAllowedOrigins()) > 0 {
+			secureOnly := externalSecure
+			instance := authz.GetInstance(r.Context())
+			// in case of `allow iframe`...
+			if len(instance.SecurityPolicyAllowedOrigins()) > 0 {
+				// ... we need to change to SameSite none ...
 				sameSiteMode = csrf.SameSiteNoneMode
+				// ... and since SameSite none requires the secure flag, we'll set it for TLS and for localhost
+				// (regardless of the TLS / externalSecure settings)
+				secureOnly = externalSecure || instance.RequestedDomain() == "localhost"
 			}
 			csrf.Protect(csrfCookieKey,
-				csrf.Secure(externalSecure),
-				csrf.CookieName(http_utils.SetCookiePrefix(cookieName, "", path, externalSecure)),
+				csrf.Secure(secureOnly),
+				csrf.CookieName(http_utils.SetCookiePrefix(cookieName, externalSecure, http_utils.PrefixHost)),
 				csrf.Path(path),
 				csrf.ErrorHandler(errorHandler),
 				csrf.SameSite(sameSiteMode),