From 9b261f52f074fcc11fd705dae63084364c4f7adf Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 7 Mar 2021 08:12:43 +0000 Subject: Add SameSite setting for cookies (#14900) Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton --- modules/setting/session.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'modules/setting') diff --git a/modules/setting/session.go b/modules/setting/session.go index eb5e1a1875..97666c5e53 100644 --- a/modules/setting/session.go +++ b/modules/setting/session.go @@ -5,6 +5,7 @@ package setting import ( + "net/http" "path" "path/filepath" "strings" @@ -31,10 +32,13 @@ var ( Secure bool // Cookie domain name. Default is empty. Domain string + // SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "lax" + SameSite http.SameSite }{ CookieName: "i_like_gitea", Gclifetime: 86400, Maxlifetime: 86400, + SameSite: http.SameSiteLaxMode, } ) @@ -52,6 +56,15 @@ func newSessionService() { SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400) SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400) SessionConfig.Domain = sec.Key("DOMAIN").String() + samesiteString := sec.Key("SAME_SITE").In("lax", []string{"none", "lax", "strict"}) + switch strings.ToLower(samesiteString) { + case "none": + SessionConfig.SameSite = http.SameSiteNoneMode + case "strict": + SessionConfig.SameSite = http.SameSiteStrictMode + default: + SessionConfig.SameSite = http.SameSiteLaxMode + } json := jsoniter.ConfigCompatibleWithStandardLibrary shadowConfig, err := json.Marshal(SessionConfig) -- cgit v1.2.3