Support secure cookie for csrf-token (#3839)

* dep: Update github.com/go-macaron/csrf

Update github.com/go-macaron/csrf with dep to revision 503617c6b3
to fix issue of csrf-token security.

This update includes following commits:
- Add support for the Cookie HttpOnly flag
- Support secure mode for csrf cookie

Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>

* routers: set csrf-token security depending on COOKIE_SECURE

Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>

Gopkg.lock

   revision = "8aa5919789ab301e865595eb4b1114d6b9847deb"
 
 [[projects]]
+  branch = "master"
   name = "github.com/go-macaron/csrf"
   packages = ["."]
-  revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0"
+  revision = "503617c6b37257a55dff6293ec28556506c3a9a8"
 
 [[projects]]
   branch = "master"

routers/routes/routes.go

 		Secret:     setting.SecretKey,
 		Cookie:     setting.CSRFCookieName,
 		SetCookie:  true,
+		Secure:     setting.SessionConfig.Secure,
 		Header:     "X-Csrf-Token",
 		CookiePath: setting.AppSubURL,
 	}))

vendor/github.com/go-macaron/csrf/csrf.go

 	GetCookieName() string
 	// Return cookie path
 	GetCookiePath() string
+	// Return the flag value used for the csrf token.
+	GetCookieHttpOnly() bool
 	// Return the token.
 	GetToken() string
 	// Validate by token.
 	Cookie string
 	//Cookie path
 	CookiePath string
+	// Cookie HttpOnly flag value used for the csrf token.
+	CookieHttpOnly bool
 	// Token generated to pass via header, cookie, or hidden form value.
 	Token string
 	// This value must be unique per user.
 	return c.CookiePath
 }
 
+// GetCookieHttpOnly returns the flag value used for the csrf token.
+func (c *csrf) GetCookieHttpOnly() bool {
+	return c.CookieHttpOnly
+}
+
 // GetToken returns the current token. This is typically used
 // to populate a hidden form in an HTML template.
 func (c *csrf) GetToken() string {
 	Cookie string
 	// Cookie path.
 	CookiePath string
+	CookieHttpOnly bool
 	// Key used for getting the unique ID per user.
 	SessionKey string
 	// oldSeesionKey saves old value corresponding to SessionKey.
 	opt := prepareOptions(options)
 	return func(ctx *macaron.Context, sess session.Store) {
 		x := &csrf{
-			Secret:     opt.Secret,
-			Header:     opt.Header,
-			Form:       opt.Form,
-			Cookie:     opt.Cookie,
-			CookiePath: opt.CookiePath,
-			ErrorFunc:  opt.ErrorFunc,
+			Secret:         opt.Secret,
+			Header:         opt.Header,
+			Form:           opt.Form,
+			Cookie:         opt.Cookie,
+			CookiePath:     opt.CookiePath,
+			CookieHttpOnly: opt.CookieHttpOnly,
+			ErrorFunc:      opt.ErrorFunc,
 		}
 		ctx.MapTo(x, (*CSRF)(nil))
 
 			// FIXME: actionId.
 			x.Token = GenerateToken(x.Secret, x.ID, "POST")
 			if opt.SetCookie {
-				ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1))
+				ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
 			}
 		}