NotificationsYou must be signed in to change notification settings
Fork163
Star1.1k

Commit79c60d0

authored

fix: Set SameSite=Lax by default (#136)

* change: set SameSite=Lax by default* deps: update errors to v0.9.1* build: add go 1.13, go 1.14* docs: update SameSiteDefaultMode godoc

1 parentdbfab4e commit79c60d0Copy full SHA for 79c60d0

File tree

6 files changed

+30

-10

lines changed

6 files changed

+30

-10

lines changed

`‎.circleci/config.yml`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,16 @@ jobs:`
`23`	`23`	`LATEST:"true"`
`24`	`24`	`GO111MODULE:"on"`
`25`	`25`
	`26`	`+"1.14":`
	`27`	`+<<:*test`
	`28`	`+docker:`
	`29`	`+ -image:circleci/golang:1.14`
	`30`	`+`
	`31`	`+"1.13":`
	`32`	`+<<:*test`
	`33`	`+docker:`
	`34`	`+ -image:circleci/golang:1.13`
	`35`	`+`
`26`	`36`	`"1.12":`
`27`	`37`	`<<:*test`
`28`	`38`	`docker:`
`@@ -58,6 +68,8 @@ workflows:`
`58`	`68`	`build:`
`59`	`69`	`jobs:`
`60`	`70`	`-"latest"`
	`71`	`+ -"1.14"`
	`72`	`+ -"1.13"`
`61`	`73`	`-"1.12"`
`62`	`74`	`-"1.11"`
`63`	`75`	`-"1.10"`

`‎csrf.go`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -62,9 +62,10 @@ type SameSiteMode int`
`62`	`62`
`63`	`63`	`// SameSite options`
`64`	`64`	`const (`
`65`		`-// SameSiteDefaultMode sets an invalid SameSite header which defaults to`
`66`		`-// 'Lax' in most browsers, but may cause some browsers to ignore the cookie`
`67`		`-// entirely.`
	`65`	+// SameSiteDefaultMode sets the `SameSite` cookie attribute, which is
	`66`	`+// invalid in some older browsers due to changes in the SameSite spec. These`
	`67`	`+// browsers will not send the cookie to the server.`
	`68`	`+// csrf uses SameSiteLaxMode (SameSite=Lax) as the default as of v1.7.0+`
`68`	`69`	`SameSiteDefaultModeSameSiteMode=iota+1`
`69`	`70`	`SameSiteLaxMode`
`70`	`71`	`SameSiteStrictMode`

`‎go.mod`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ module github.com/gorilla/csrf`
`2`	`2`
`3`	`3`	`require (`
`4`	`4`	`github.com/gorilla/securecookiev1.1.1`
`5`		`-github.com/pkg/errorsv0.8.0`
	`5`	`+github.com/pkg/errorsv0.9.1`
`6`	`6`	`)`
`7`	`7`
`8`	`8`	`go1.13`

`‎go.sum`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,3 +2,5 @@ github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyC`
`2`	`2`	`github.com/gorilla/securecookiev1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=`
`3`	`3`	`github.com/pkg/errorsv0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=`
`4`	`4`	`github.com/pkg/errorsv0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=`
	`5`	`+github.com/pkg/errorsv0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=`
	`6`	`+github.com/pkg/errorsv0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=`

`‎options.go`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,10 @@ func parseOptions(h http.Handler, opts ...Option) *csrf {`
`152`	`152`	`cs.opts.Secure=true`
`153`	`153`	`cs.opts.HttpOnly=true`
`154`	`154`
	`155`	`+// Set SameSite=Lax by default, allowing the CSRF cookie to only be sent on`
	`156`	`+// top-level navigations.`
	`157`	`+cs.opts.SameSite=SameSiteLaxMode`
	`158`	`+`
`155`	`159`	`// Default; only override this if the package user explicitly calls MaxAge(0)`
`156`	`160`	`cs.opts.MaxAge=defaultAge`
`157`	`161`

`‎store_test.go`

Lines changed: 7 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -160,9 +160,9 @@ func TestSameSizeSet(t *testing.T) {`
`160`	`160`	`}`
`161`	`161`	`}`
`162`	`162`
`163`		`-//TestSamesiteBackwardsCompat tests that the default set of options do not set`
`164`		`-//any SameSite attribute.`
`165`		`-funcTestSamesiteBackwardsCompat(t*testing.T) {`
	`163`	`+//TestSameSiteDefault tests that the default set of options`
	`164`	`+//set SameSite=Lax on the CSRF cookie.`
	`165`	`+funcTestSameSiteDefaultLaxMode(t*testing.T) {`
`166`	`166`	`s:=http.NewServeMux()`
`167`	`167`	`s.HandleFunc("/",testHandler)`
`168`	`168`
`@@ -182,10 +182,11 @@ func TestSamesiteBackwardsCompat(t *testing.T) {`
`182`	`182`
`183`	`183`	`cookie:=rr.Header().Get("Set-Cookie")`
`184`	`184`	`ifcookie=="" {`
`185`		`-t.Fatalf("cookie not getset-cookie header: got headers %v",rr.Header())`
	`185`	`+t.Fatalf("cookie not getSet-Cookie header: got headers %v",rr.Header())`
`186`	`186`	`}`
`187`	`187`
`188`		`-ifstrings.Contains(cookie,"SameSite") {`
`189`		`-t.Fatalf("cookie should not contain the substring 'SameSite' by default, but did: %q",cookie)`
	`188`	`+sameSiteLax:="SameSite=Lax"`
	`189`	`+if!strings.Contains(cookie,sameSiteLax) {`
	`190`	`+t.Fatalf("cookie should contain %q by default: got %s",sameSiteLax,cookie)`
`190`	`191`	`}`
`191`	`192`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit79c60d0

File tree

6 files changed

6 files changed

`‎.circleci/config.yml`

`‎csrf.go`

`‎go.mod`

`‎go.sum`

`‎options.go`

`‎store_test.go`

0 commit comments