Skip to content

Commit

Permalink
fix: proper SameSite=None in dev mode (#3502)
Browse files Browse the repository at this point in the history
  • Loading branch information
hperl authored Apr 29, 2023
1 parent 0e7e95f commit 5751fae
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
3 changes: 2 additions & 1 deletion driver/config/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,8 @@ func (p *DefaultProvider) CookieSameSiteMode(ctx context.Context) http.SameSite
case "strict":
return http.SameSiteStrictMode
case "none":
if p.IsDevelopmentMode(ctx) {
if p.IssuerURL(ctx).Scheme != "https" {
// SameSite=None can only be set for HTTPS issuers.
return http.SameSiteLaxMode
}
return http.SameSiteNoneMode
Expand Down
9 changes: 9 additions & 0 deletions driver/config/provider_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,11 +206,20 @@ func TestProviderCookieSameSiteMode(t *testing.T) {
p.MustSet(ctx, KeyCookieSameSiteMode, "none")
assert.Equal(t, http.SameSiteNoneMode, p.CookieSameSiteMode(ctx))

p.MustSet(ctx, KeyCookieSameSiteMode, "lax")
assert.Equal(t, http.SameSiteLaxMode, p.CookieSameSiteMode(ctx))

p.MustSet(ctx, KeyCookieSameSiteMode, "strict")
assert.Equal(t, http.SameSiteStrictMode, p.CookieSameSiteMode(ctx))

p = MustNew(context.Background(), l, configx.SkipValidation())
p.MustSet(ctx, "dev", true)
assert.Equal(t, http.SameSiteLaxMode, p.CookieSameSiteMode(ctx))
p.MustSet(ctx, KeyCookieSameSiteMode, "none")
assert.Equal(t, http.SameSiteLaxMode, p.CookieSameSiteMode(ctx))

p.MustSet(ctx, KeyIssuerURL, "https://example.com")
assert.Equal(t, http.SameSiteNoneMode, p.CookieSameSiteMode(ctx))
}

func TestViperProviderValidates(t *testing.T) {
Expand Down

0 comments on commit 5751fae

Please sign in to comment.