Skip to content

Commit

Permalink
fix: Set SameSite=Lax by default (#136)
Browse files Browse the repository at this point in the history
* change: set SameSite=Lax by default
* deps: update errors to v0.9.1
* build: add go 1.13, go 1.14
* docs: update SameSiteDefaultMode godoc
  • Loading branch information
elithrar authored Apr 26, 2020
1 parent dbfab4e commit 79c60d0
Show file tree
Hide file tree
Showing 6 changed files with 30 additions and 10 deletions.
12 changes: 12 additions & 0 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,16 @@ jobs:
LATEST: "true"
GO111MODULE: "on"

"1.14":
<<: *test
docker:
- image: circleci/golang:1.14

"1.13":
<<: *test
docker:
- image: circleci/golang:1.13

"1.12":
<<: *test
docker:
Expand Down Expand Up @@ -58,6 +68,8 @@ workflows:
build:
jobs:
- "latest"
- "1.14"
- "1.13"
- "1.12"
- "1.11"
- "1.10"
Expand Down
7 changes: 4 additions & 3 deletions csrf.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,10 @@ type SameSiteMode int

// SameSite options
const (
// SameSiteDefaultMode sets an invalid SameSite header which defaults to
// 'Lax' in most browsers, but may cause some browsers to ignore the cookie
// entirely.
// SameSiteDefaultMode sets the `SameSite` cookie attribute, which is
// invalid in some older browsers due to changes in the SameSite spec. These
// browsers will not send the cookie to the server.
// csrf uses SameSiteLaxMode (SameSite=Lax) as the default as of v1.7.0+
SameSiteDefaultMode SameSiteMode = iota + 1
SameSiteLaxMode
SameSiteStrictMode
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ module github.com/gorilla/csrf

require (
github.com/gorilla/securecookie v1.1.1
github.com/pkg/errors v0.8.0
github.com/pkg/errors v0.9.1
)

go 1.13
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@ github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyC
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
4 changes: 4 additions & 0 deletions options.go
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,10 @@ func parseOptions(h http.Handler, opts ...Option) *csrf {
cs.opts.Secure = true
cs.opts.HttpOnly = true

// Set SameSite=Lax by default, allowing the CSRF cookie to only be sent on
// top-level navigations.
cs.opts.SameSite = SameSiteLaxMode

// Default; only override this if the package user explicitly calls MaxAge(0)
cs.opts.MaxAge = defaultAge

Expand Down
13 changes: 7 additions & 6 deletions store_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,9 +160,9 @@ func TestSameSizeSet(t *testing.T) {
}
}

// TestSamesiteBackwardsCompat tests that the default set of options do not set
// any SameSite attribute.
func TestSamesiteBackwardsCompat(t *testing.T) {
// TestSameSiteDefault tests that the default set of options
// set SameSite=Lax on the CSRF cookie.
func TestSameSiteDefaultLaxMode(t *testing.T) {
s := http.NewServeMux()
s.HandleFunc("/", testHandler)

Expand All @@ -182,10 +182,11 @@ func TestSamesiteBackwardsCompat(t *testing.T) {

cookie := rr.Header().Get("Set-Cookie")
if cookie == "" {
t.Fatalf("cookie not get set-cookie header: got headers %v", rr.Header())
t.Fatalf("cookie not get Set-Cookie header: got headers %v", rr.Header())
}

if strings.Contains(cookie, "SameSite") {
t.Fatalf("cookie should not contain the substring 'SameSite' by default, but did: %q", cookie)
sameSiteLax := "SameSite=Lax"
if !strings.Contains(cookie, sameSiteLax) {
t.Fatalf("cookie should contain %q by default: got %s", sameSiteLax, cookie)
}
}

0 comments on commit 79c60d0

Please sign in to comment.