Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix no default samesite #276

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix no default samesite #276

wants to merge 2 commits into from

Conversation

bharat-rajani
Copy link

@bharat-rajani bharat-rajani commented Apr 21, 2024
edited

What type of PR is this? (check all applicable)

  • Refactor
  • Feature
  • Bug Fix
  • Optimization
  • Documentation Update
  • Go Version Update
  • Dependency Update

Description

This PR sets the SameSite cookie attribute to Lax in the Set-Cookie header. The SameSite=Lax value provides a reasonable balance between security and usability for websites.

Reference:
https://owasp.org/www-community/SameSite

Related Tickets & Documents

Added/updated tests?

  • Yes
  • No, and this is why: please replace this line with details on why tests
    have not been included
  • I need help with writing tests

Run verifications and test

  • make verify is passing
  • make test is passing

Fixes: #256

jaitaiwan
jaitaiwan requested changes Apr 22, 2024
View reviewed changes
Copy link

@jaitaiwan jaitaiwan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I read of your linked comments, it seems like we should set the default to "None" for backwards compatible behaviour.

.gitignore Outdated Show resolved Hide resolved
@bharat-rajani
Copy link
Author

bharat-rajani commented Apr 22, 2024
edited

@jaitaiwan #276 (review)

Sure I can add Samesite as None. However, some browsers are mandating additional Secure attribute when SameSite=None.
( chrome, firefox )

I think it will be good to add Secure along with SameSite=None, let me know what you think!

@jaitaiwan
Copy link

I think that's a good idea. We can release it under a major version tag so it doesn't break folk's installations either way.

@jaitaiwan
Copy link

LGTM - Just waiting for scanning/tests to finish

@bharat-rajani
Copy link
Author

@jaitaiwan I believe vulncheck issues are unrelated and we can tackle them separately.
Also, I ran linter locally and I don't see issues which are somehow reported in github workflow.

docker run -t --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.53.3 golangci-lint run -v

Can you help?

@apoorvajagtap
Copy link
Member

The linter is passing for me as well. I think this could be a false positive, I can't even find the existence of max reported in the error.
I think we can ignore the lint errors, and as @bharat-rajani mentioned we can work through the vuln failures seperately. @jaitaiwan WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaitaiwan jaitaiwan jaitaiwan requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SameSite is not set in the default path
3 participants
@bharat-rajani @jaitaiwan @apoorvajagtap