safeweb: set SameSite=Strict, with an option for Lax (#11781)

Fixes #11780

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
pull/11786/head
Chris Palmer 7 months ago committed by GitHub
parent dd48cad89a
commit 88a7767492
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -128,6 +128,10 @@ type Config struct {
// unsafe-inline` in the Content-Security-Policy header to permit the use of
// inline CSS.
CSPAllowInlineStyles bool
// CookiesSameSiteLax specifies whether to use SameSite=Lax in cookies. The
// default is to set SameSite=Strict.
CookiesSameSiteLax bool
}
func (c *Config) setDefaults() error {
@ -173,12 +177,16 @@ func NewServer(config Config) (*Server, error) {
return nil, fmt.Errorf("failed to set defaults: %w", err)
}
sameSite := csrf.SameSiteStrictMode
if config.CookiesSameSiteLax {
sameSite = csrf.SameSiteLaxMode
}
s := &Server{
Config: config,
csp: defaultCSP,
// only set Secure flag on CSRF cookies if we are in a secure context
// as otherwise the browser will reject the cookie
csrfProtect: csrf.Protect(config.CSRFSecret, csrf.Secure(config.SecureContext)),
csrfProtect: csrf.Protect(config.CSRFSecret, csrf.Secure(config.SecureContext), csrf.SameSite(sameSite)),
}
if config.CSPAllowInlineStyles {
s.csp = defaultCSP + `; style-src 'self' 'unsafe-inline'`

Loading…
Cancel
Save