aboutsummaryrefslogtreecommitdiffstats
path: root/modules/web
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-03-07 08:12:43 +0000
committerGitHub <noreply@github.com>2021-03-07 08:12:43 +0000
commit9b261f52f074fcc11fd705dae63084364c4f7adf (patch)
tree587521b6929105a76b288a962316504380c1c494 /modules/web
parentbeed5476e2831f7a0943d484873f4f49dfdd256f (diff)
downloadgitea-9b261f52f074fcc11fd705dae63084364c4f7adf.tar.gz
gitea-9b261f52f074fcc11fd705dae63084364c4f7adf.zip
Add SameSite setting for cookies (#14900)
Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/web')
-rw-r--r--modules/web/middleware/cookie.go41
-rw-r--r--modules/web/middleware/locale.go25
2 files changed, 65 insertions, 1 deletions
diff --git a/modules/web/middleware/cookie.go b/modules/web/middleware/cookie.go
index 83e365f9c4..cfcc2bbac7 100644
--- a/modules/web/middleware/cookie.go
+++ b/modules/web/middleware/cookie.go
@@ -76,6 +76,47 @@ func NewCookie(name, value string, maxAge int) *http.Cookie {
}
}
+// SetRedirectToCookie convenience function to set the RedirectTo cookie consistently
+func SetRedirectToCookie(resp http.ResponseWriter, value string) {
+ SetCookie(resp, "redirect_to", value,
+ 0,
+ setting.AppSubURL,
+ "",
+ setting.SessionConfig.Secure,
+ true,
+ SameSite(setting.SessionConfig.SameSite))
+}
+
+// DeleteRedirectToCookie convenience function to delete most cookies consistently
+func DeleteRedirectToCookie(resp http.ResponseWriter) {
+ SetCookie(resp, "redirect_to", "",
+ -1,
+ setting.AppSubURL,
+ "",
+ setting.SessionConfig.Secure,
+ true,
+ SameSite(setting.SessionConfig.SameSite))
+}
+
+// DeleteSesionConfigPathCookie convenience function to delete SessionConfigPath cookies consistently
+func DeleteSesionConfigPathCookie(resp http.ResponseWriter, name string) {
+ SetCookie(resp, name, "",
+ -1,
+ setting.SessionConfig.CookiePath,
+ setting.SessionConfig.Domain,
+ setting.SessionConfig.Secure,
+ true,
+ SameSite(setting.SessionConfig.SameSite))
+}
+
+// DeleteCSRFCookie convenience function to delete SessionConfigPath cookies consistently
+func DeleteCSRFCookie(resp http.ResponseWriter) {
+ SetCookie(resp, setting.CSRFCookieName, "",
+ -1,
+ setting.SessionConfig.CookiePath,
+ setting.SessionConfig.Domain) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
+}
+
// SetCookie set the cookies
// TODO: Copied from gitea.com/macaron/macaron and should be improved after macaron removed.
func SetCookie(resp http.ResponseWriter, name string, value string, others ...interface{}) {
diff --git a/modules/web/middleware/locale.go b/modules/web/middleware/locale.go
index 449095f611..a08e5aaeec 100644
--- a/modules/web/middleware/locale.go
+++ b/modules/web/middleware/locale.go
@@ -7,6 +7,7 @@ package middleware
import (
"net/http"
+ "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/translation"
"github.com/unknwon/i18n"
@@ -42,8 +43,30 @@ func Locale(resp http.ResponseWriter, req *http.Request) translation.Locale {
}
if changeLang {
- SetCookie(resp, "lang", lang, 1<<31-1)
+ SetLocaleCookie(resp, lang, 1<<31-1)
}
return translation.NewLocale(lang)
}
+
+// SetLocaleCookie convenience function to set the locale cookie consistently
+func SetLocaleCookie(resp http.ResponseWriter, lang string, expiry int) {
+ SetCookie(resp, "lang", lang, expiry,
+ setting.AppSubURL,
+ setting.SessionConfig.Domain,
+ setting.SessionConfig.Secure,
+ true,
+ SameSite(setting.SessionConfig.SameSite))
+}
+
+// DeleteLocaleCookie convenience function to delete the locale cookie consistently
+// Setting the lang cookie will trigger the middleware to reset the language ot previous state.
+func DeleteLocaleCookie(resp http.ResponseWriter) {
+ SetCookie(resp, "lang", "",
+ -1,
+ setting.AppSubURL,
+ setting.SessionConfig.Domain,
+ setting.SessionConfig.Secure,
+ true,
+ SameSite(setting.SessionConfig.SameSite))
+}