From ee878e3951d059363a1538a94d14576af8e7f83c Mon Sep 17 00:00:00 2001
From: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
Date: Tue, 22 May 2018 02:09:48 +0300
Subject: Support secure cookie for csrf-token (#3839)

* dep: Update github.com/go-macaron/csrf

Update github.com/go-macaron/csrf with dep to revision 503617c6b372
to fix issue of csrf-token security.

This update includes following commits:
- Add support for the Cookie HttpOnly flag
- Support secure mode for csrf cookie

Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>

* routers: set csrf-token security depending on COOKIE_SECURE

Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
---
 routers/routes/routes.go | 1 +
 1 file changed, 1 insertion(+)

(limited to 'routers')

diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index 1585a0876d..cb9fbb16aa 100644
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron {
 		Secret:     setting.SecretKey,
 		Cookie:     setting.CSRFCookieName,
 		SetCookie:  true,
+		Secure:     setting.SessionConfig.Secure,
 		Header:     "X-Csrf-Token",
 		CookiePath: setting.AppSubURL,
 	}))
-- 
cgit v1.2.3