diff --git a/docs/config.schema.json b/docs/config.schema.json index 61627138c177..2bf8a99aafb6 100644 --- a/docs/config.schema.json +++ b/docs/config.schema.json @@ -185,6 +185,15 @@ "$ref": "#/definitions/selfServiceRedirectHook" }, "uniqueItems": true + }, + "cookiesSameSite": { + "type": "string", + "enum": [ + "Strict", + "Lax", + "None" + ], + "default": "Lax" } }, "properties": { @@ -588,6 +597,27 @@ } }, "additionalProperties": false + }, + "security": { + "type": "object", + "properties": { + "session": { + "type": "object", + "properties": { + "cookie": { + "type": "object", + "properties": { + "same_site": { + "$ref": "#/definitions/cookiesSameSite" + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false } }, "required": [ diff --git a/driver/configuration/provider.go b/driver/configuration/provider.go index b647f1e44a4c..15505ead1b16 100644 --- a/driver/configuration/provider.go +++ b/driver/configuration/provider.go @@ -2,6 +2,7 @@ package configuration import ( "encoding/json" + "net/http" "net/url" "time" @@ -99,4 +100,6 @@ type Provider interface { TracingJaegerConfig() *tracing.JaegerConfig IsInsecureDevMode() bool + + SessionSameSiteMode() http.SameSite } diff --git a/driver/configuration/provider_viper.go b/driver/configuration/provider_viper.go index 3bcda8cf2bb5..0c0dbf5d0d62 100644 --- a/driver/configuration/provider_viper.go +++ b/driver/configuration/provider_viper.go @@ -4,6 +4,7 @@ import ( "bytes" "encoding/json" "fmt" + "net/http" "net/url" "runtime" "time" @@ -53,6 +54,8 @@ const ( ViperKeyLifespanSession = "ttl.session" + ViperKeySessionSameSite = "security.session.cookie.same_site" + ViperKeySelfServiceStrategyConfig = "selfservice.strategies" ViperKeySelfServiceRegistrationBeforeConfig = "selfservice.registration.before" ViperKeySelfServiceRegistrationAfterConfig = "selfservice.registration.after" @@ -370,3 +373,15 @@ func (p *ViperProvider) SelfServiceVerificationReturnTo() *url.URL { func (p *ViperProvider) SelfServicePrivilegedSessionMaxAge() time.Duration { return viperx.GetDuration(p.l, ViperKeySelfServicePrivilegedAuthenticationAfter, time.Hour) } + +func (p *ViperProvider) SessionSameSiteMode() http.SameSite { + switch viperx.GetString(p.l, ViperKeySessionSameSite, "Lax") { + case "Lax": + return http.SameSiteLaxMode + case "Strict": + return http.SameSiteStrictMode + case "None": + return http.SameSiteNoneMode + } + return http.SameSiteDefaultMode +} diff --git a/driver/registry_default.go b/driver/registry_default.go index 0afffd48f390..da797b6f6801 100644 --- a/driver/registry_default.go +++ b/driver/registry_default.go @@ -69,7 +69,7 @@ type RegistryDefault struct { schemaHandler *schema.Handler sessionHandler *session.Handler - sessionsStore sessions.Store + sessionsStore *sessions.CookieStore sessionManager session.Manager passwordHasher password2.Hasher @@ -279,6 +279,7 @@ func (m *RegistryDefault) CookieManager() sessions.Store { cs.Options.HttpOnly = true m.sessionsStore = cs } + m.sessionsStore.Options.SameSite = m.c.SessionSameSiteMode() return m.sessionsStore } diff --git a/internal/httpclient/client/common/get_schema_parameters.go b/internal/httpclient/client/common/get_schema_parameters.go index f230212d06e2..fdf8a692485d 100644 --- a/internal/httpclient/client/common/get_schema_parameters.go +++ b/internal/httpclient/client/common/get_schema_parameters.go @@ -13,8 +13,7 @@ import ( "github.com/go-openapi/errors" "github.com/go-openapi/runtime" cr "github.com/go-openapi/runtime/client" - - strfmt "github.com/go-openapi/strfmt" + "github.com/go-openapi/strfmt" ) // NewGetSchemaParams creates a new GetSchemaParams object diff --git a/internal/httpclient/client/common/get_schema_responses.go b/internal/httpclient/client/common/get_schema_responses.go index d0ed4b6edfb5..7b35f518d7b7 100644 --- a/internal/httpclient/client/common/get_schema_responses.go +++ b/internal/httpclient/client/common/get_schema_responses.go @@ -10,8 +10,7 @@ import ( "io" "github.com/go-openapi/runtime" - - strfmt "github.com/go-openapi/strfmt" + "github.com/go-openapi/strfmt" "github.com/ory/kratos/internal/httpclient/models" )