From abc002956b816ab85db0dafa4e69790f77422ad6 Mon Sep 17 00:00:00 2001 From: Jason McNeil Date: Wed, 1 Dec 2021 09:53:15 -0400 Subject: [PATCH 1/4] CookieSameSite default "Lax" --- middleware/session/README.md | 2 +- middleware/session/session.go | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/middleware/session/README.md b/middleware/session/README.md index 35493e32e7..7f20667861 100644 --- a/middleware/session/README.md +++ b/middleware/session/README.md @@ -141,7 +141,7 @@ type Config struct { CookieHTTPOnly bool // Indicates if CSRF cookie is HTTP only. - // Optional. Default value false. + // Optional. Default value "Lax". CookieSameSite string // KeyGenerator generates the session key. diff --git a/middleware/session/session.go b/middleware/session/session.go index 99f33a50c0..c8be6625b3 100644 --- a/middleware/session/session.go +++ b/middleware/session/session.go @@ -202,7 +202,6 @@ func (s *Session) setSession() { fcookie.SetSecure(s.config.CookieSecure) fcookie.SetHTTPOnly(s.config.CookieHTTPOnly) - // TODO Default value should be set to `strict` in fiber v3. switch utils.ToLower(s.config.CookieSameSite) { case "strict": fcookie.SetSameSite(fasthttp.CookieSameSiteStrictMode) From 57607f12458bc1e43f0ba30352f38f34632c7713 Mon Sep 17 00:00:00 2001 From: Jason McNeil Date: Wed, 1 Dec 2021 10:07:55 -0400 Subject: [PATCH 2/4] Update README.md --- middleware/session/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/middleware/session/README.md b/middleware/session/README.md index 7f20667861..2c13de035a 100644 --- a/middleware/session/README.md +++ b/middleware/session/README.md @@ -140,7 +140,7 @@ type Config struct { // Optional. Default value false. CookieHTTPOnly bool - // Indicates if CSRF cookie is HTTP only. + // Sets the CSRF cookie SameSite attribute. // Optional. Default value "Lax". CookieSameSite string From 414187704b6173481f992ad96bb1a6df1094bd4d Mon Sep 17 00:00:00 2001 From: Jason McNeil Date: Wed, 1 Dec 2021 10:30:46 -0400 Subject: [PATCH 3/4] CookieSameSite default "Lax" --- middleware/csrf/README.md | 6 +++--- middleware/csrf/config.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/middleware/csrf/README.md b/middleware/csrf/README.md index f88a1e58cc..eb516a85ba 100644 --- a/middleware/csrf/README.md +++ b/middleware/csrf/README.md @@ -46,7 +46,7 @@ app.Use(csrf.New()) // Default config app.Use(csrf.New(csrf.Config{ KeyLookup: "header:X-Csrf-Token", CookieName: "csrf_", - CookieSameSite: "Strict", + CookieSameSite: "Lax", Expiration: 1 * time.Hour, KeyGenerator: utils.UUID, })) @@ -106,7 +106,7 @@ type Config struct { CookieHTTPOnly bool // Indicates if CSRF cookie is requested by SameSite. - // Optional. Default value "Strict". + // Optional. Default value "Lax". CookieSameSite string // Expiration is the duration before csrf token will expire @@ -138,7 +138,7 @@ type Config struct { var ConfigDefault = Config{ KeyLookup: "header:X-Csrf-Token", CookieName: "csrf_", - CookieSameSite: "Strict", + CookieSameSite: "Lax", Expiration: 1 * time.Hour, KeyGenerator: utils.UUID, } diff --git a/middleware/csrf/config.go b/middleware/csrf/config.go index c4b76e0b10..afd586b56d 100644 --- a/middleware/csrf/config.go +++ b/middleware/csrf/config.go @@ -50,7 +50,7 @@ type Config struct { CookieHTTPOnly bool // Value of SameSite cookie. - // Optional. Default value "Strict". + // Optional. Default value "Lax". CookieSameSite string // Expiration is the duration before csrf token will expire @@ -96,7 +96,7 @@ type Config struct { var ConfigDefault = Config{ KeyLookup: "header:X-Csrf-Token", CookieName: "csrf_", - CookieSameSite: "Strict", + CookieSameSite: "Lax", Expiration: 1 * time.Hour, KeyGenerator: utils.UUID, ErrorHandler: defaultErrorHandler, From 44730b31ec3c731fe0b5ac94ff6fa8369638e7bb Mon Sep 17 00:00:00 2001 From: Jason McNeil Date: Wed, 1 Dec 2021 10:31:14 -0400 Subject: [PATCH 4/4] Revert "CookieSameSite default "Lax"" This reverts commit 414187704b6173481f992ad96bb1a6df1094bd4d. --- middleware/csrf/README.md | 6 +++--- middleware/csrf/config.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/middleware/csrf/README.md b/middleware/csrf/README.md index eb516a85ba..f88a1e58cc 100644 --- a/middleware/csrf/README.md +++ b/middleware/csrf/README.md @@ -46,7 +46,7 @@ app.Use(csrf.New()) // Default config app.Use(csrf.New(csrf.Config{ KeyLookup: "header:X-Csrf-Token", CookieName: "csrf_", - CookieSameSite: "Lax", + CookieSameSite: "Strict", Expiration: 1 * time.Hour, KeyGenerator: utils.UUID, })) @@ -106,7 +106,7 @@ type Config struct { CookieHTTPOnly bool // Indicates if CSRF cookie is requested by SameSite. - // Optional. Default value "Lax". + // Optional. Default value "Strict". CookieSameSite string // Expiration is the duration before csrf token will expire @@ -138,7 +138,7 @@ type Config struct { var ConfigDefault = Config{ KeyLookup: "header:X-Csrf-Token", CookieName: "csrf_", - CookieSameSite: "Lax", + CookieSameSite: "Strict", Expiration: 1 * time.Hour, KeyGenerator: utils.UUID, } diff --git a/middleware/csrf/config.go b/middleware/csrf/config.go index afd586b56d..c4b76e0b10 100644 --- a/middleware/csrf/config.go +++ b/middleware/csrf/config.go @@ -50,7 +50,7 @@ type Config struct { CookieHTTPOnly bool // Value of SameSite cookie. - // Optional. Default value "Lax". + // Optional. Default value "Strict". CookieSameSite string // Expiration is the duration before csrf token will expire @@ -96,7 +96,7 @@ type Config struct { var ConfigDefault = Config{ KeyLookup: "header:X-Csrf-Token", CookieName: "csrf_", - CookieSameSite: "Lax", + CookieSameSite: "Strict", Expiration: 1 * time.Hour, KeyGenerator: utils.UUID, ErrorHandler: defaultErrorHandler,