projects
/
arvados.git
/ commitdiff
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
8d39d92
)
17202: Use explicit SameSite=Lax for 303-with-cookie.
author
Tom Clegg <tom@tomclegg.ca>
Wed, 9 Dec 2020 14:34:14 +0000
(09:34 -0500)
committer
Tom Clegg <tom@tomclegg.ca>
Wed, 9 Dec 2020 14:34:14 +0000
(09:34 -0500)
This improves XSS protection on some browsers, including Safari and
Firefox for Android.
On most browsers, Lax is already the default.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>
services/keep-web/handler.go
patch
|
blob
|
history
diff --git
a/services/keep-web/handler.go
b/services/keep-web/handler.go
index 8e427403837f073da65d931b9646dc38a7d972b6..2d6fb78f8098a7752a2e9075f8ea84ca537c445f 100644
(file)
--- a/
services/keep-web/handler.go
+++ b/
services/keep-web/handler.go
@@
-773,6
+773,7
@@
func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
Value: auth.EncodeTokenCookie([]byte(formToken)),
Path: "/",
HttpOnly: true,
+ SameSite: http.SameSiteLaxMode,
})
}