diff options
author | zeripath <art27@cantab.net> | 2021-03-07 08:12:43 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-07 08:12:43 +0000 |
commit | 9b261f52f074fcc11fd705dae63084364c4f7adf (patch) | |
tree | 587521b6929105a76b288a962316504380c1c494 /modules/web | |
parent | beed5476e2831f7a0943d484873f4f49dfdd256f (diff) | |
download | gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.tar.gz gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.zip |
Add SameSite setting for cookies (#14900)
Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default.
There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR.
Fix #5583
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/web')
-rw-r--r-- | modules/web/middleware/cookie.go | 41 | ||||
-rw-r--r-- | modules/web/middleware/locale.go | 25 |
2 files changed, 65 insertions, 1 deletions
diff --git a/modules/web/middleware/cookie.go b/modules/web/middleware/cookie.go index 83e365f9c4..cfcc2bbac7 100644 --- a/modules/web/middleware/cookie.go +++ b/modules/web/middleware/cookie.go @@ -76,6 +76,47 @@ func NewCookie(name, value string, maxAge int) *http.Cookie { } } +// SetRedirectToCookie convenience function to set the RedirectTo cookie consistently +func SetRedirectToCookie(resp http.ResponseWriter, value string) { + SetCookie(resp, "redirect_to", value, + 0, + setting.AppSubURL, + "", + setting.SessionConfig.Secure, + true, + SameSite(setting.SessionConfig.SameSite)) +} + +// DeleteRedirectToCookie convenience function to delete most cookies consistently +func DeleteRedirectToCookie(resp http.ResponseWriter) { + SetCookie(resp, "redirect_to", "", + -1, + setting.AppSubURL, + "", + setting.SessionConfig.Secure, + true, + SameSite(setting.SessionConfig.SameSite)) +} + +// DeleteSesionConfigPathCookie convenience function to delete SessionConfigPath cookies consistently +func DeleteSesionConfigPathCookie(resp http.ResponseWriter, name string) { + SetCookie(resp, name, "", + -1, + setting.SessionConfig.CookiePath, + setting.SessionConfig.Domain, + setting.SessionConfig.Secure, + true, + SameSite(setting.SessionConfig.SameSite)) +} + +// DeleteCSRFCookie convenience function to delete SessionConfigPath cookies consistently +func DeleteCSRFCookie(resp http.ResponseWriter) { + SetCookie(resp, setting.CSRFCookieName, "", + -1, + setting.SessionConfig.CookiePath, + setting.SessionConfig.Domain) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too? +} + // SetCookie set the cookies // TODO: Copied from gitea.com/macaron/macaron and should be improved after macaron removed. func SetCookie(resp http.ResponseWriter, name string, value string, others ...interface{}) { diff --git a/modules/web/middleware/locale.go b/modules/web/middleware/locale.go index 449095f611..a08e5aaeec 100644 --- a/modules/web/middleware/locale.go +++ b/modules/web/middleware/locale.go @@ -7,6 +7,7 @@ package middleware import ( "net/http" + "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/translation" "github.com/unknwon/i18n" @@ -42,8 +43,30 @@ func Locale(resp http.ResponseWriter, req *http.Request) translation.Locale { } if changeLang { - SetCookie(resp, "lang", lang, 1<<31-1) + SetLocaleCookie(resp, lang, 1<<31-1) } return translation.NewLocale(lang) } + +// SetLocaleCookie convenience function to set the locale cookie consistently +func SetLocaleCookie(resp http.ResponseWriter, lang string, expiry int) { + SetCookie(resp, "lang", lang, expiry, + setting.AppSubURL, + setting.SessionConfig.Domain, + setting.SessionConfig.Secure, + true, + SameSite(setting.SessionConfig.SameSite)) +} + +// DeleteLocaleCookie convenience function to delete the locale cookie consistently +// Setting the lang cookie will trigger the middleware to reset the language ot previous state. +func DeleteLocaleCookie(resp http.ResponseWriter) { + SetCookie(resp, "lang", "", + -1, + setting.AppSubURL, + setting.SessionConfig.Domain, + setting.SessionConfig.Secure, + true, + SameSite(setting.SessionConfig.SameSite)) +} |