projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ea3f1b8)
17202: Use explicit SameSite=Lax for 303-with-cookie.
authorTom Clegg <tom@tomclegg.ca>
Wed, 9 Dec 2020 14:34:14 +0000 (09:34 -0500)
committerPeter Amstutz <peter.amstutz@curii.com>
Mon, 22 Feb 2021 19:02:35 +0000 (14:02 -0500)
This improves XSS protection on some browsers, including Safari and
Firefox for Android.

On most browsers, Lax is already the default.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>

services/keep-web/handler.go patch | blob | history

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 8e427403837f073da65d931b9646dc38a7d972b6..2d6fb78f8098a7752a2e9075f8ea84ca537c445f 100644 (file)
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -773,6 +773,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
                        Value:    auth.EncodeTokenCookie([]byte(formToken)),
                        Path:     "/",
                        HttpOnly: true,
+                       SameSite: http.SameSiteLaxMode,
                })
        }