From 88a7767492b8e302c0624932c361cd3275cc01d2 Mon Sep 17 00:00:00 2001
From: Chris Palmer <cpalmer@tailscale.com>
Date: Wed, 17 Apr 2024 16:20:14 -0700
Subject: [PATCH] safeweb: set SameSite=Strict, with an option for Lax (#11781)

Fixes #11780

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
---
 safeweb/http.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/safeweb/http.go b/safeweb/http.go
index 5a8a6078a..77853f6ee 100644
--- a/safeweb/http.go
+++ b/safeweb/http.go
@@ -128,6 +128,10 @@ type Config struct {
 	// unsafe-inline` in the Content-Security-Policy header to permit the use of
 	// inline CSS.
 	CSPAllowInlineStyles bool
+
+	// CookiesSameSiteLax specifies whether to use SameSite=Lax in cookies. The
+	// default is to set SameSite=Strict.
+	CookiesSameSiteLax bool
 }
 
 func (c *Config) setDefaults() error {
@@ -173,12 +177,16 @@ func NewServer(config Config) (*Server, error) {
 		return nil, fmt.Errorf("failed to set defaults: %w", err)
 	}
 
+	sameSite := csrf.SameSiteStrictMode
+	if config.CookiesSameSiteLax {
+		sameSite = csrf.SameSiteLaxMode
+	}
 	s := &Server{
 		Config: config,
 		csp:    defaultCSP,
 		// only set Secure flag on CSRF cookies if we are in a secure context
 		// as otherwise the browser will reject the cookie
-		csrfProtect: csrf.Protect(config.CSRFSecret, csrf.Secure(config.SecureContext)),
+		csrfProtect: csrf.Protect(config.CSRFSecret, csrf.Secure(config.SecureContext), csrf.SameSite(sameSite)),
 	}
 	if config.CSPAllowInlineStyles {
 		s.csp = defaultCSP + `; style-src 'self' 'unsafe-inline'`