Add SameSite setting for cookies

Fix go-gitea#5583

Signed-off-by: Andrew Thornton <art27@cantab.net>

Author: zeripath

Diff for: custom/conf/app.example.ini

@@ -794,6 +794,8 @@ COOKIE_SECURE = false
 GC_INTERVAL_TIME = 86400
 ; Session life time in seconds, default is 86400 (1 day)
 SESSION_LIFE_TIME = 86400
+; SameSite settings. Either "none", "lax", or "strict"
+SAME_SITE=strict
 
 [picture]
 AVATAR_UPLOAD_PATH = data/avatars

Diff for: docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -557,6 +557,8 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 - `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
 - `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
 - `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day)
+- `DOMAIN`: **\<empty\>**: Sets the cookie Domain
+- `SAME_SITE`: **strict** \[strict, lax, none\]: Set the SameSite setting for the cookie.
 
 ## Picture (`picture`)
 

Diff for: modules/auth/sso/sso.go

@@ -129,8 +129,20 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore
 		}
 	}
 
-	middleware.SetCookie(resp, "lang", user.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+	middleware.SetCookie(resp, "lang", user.Language,
+		nil,
+		setting.AppSubURL,
+		setting.SessionConfig.Domain,
+		setting.SessionConfig.Secure,
+		true,
+		middleware.SameSiteString(setting.SessionConfig.SameSite))
 
 	// Clear whatever CSRF has right now, force to generate a new one
-	middleware.SetCookie(resp, setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+	middleware.SetCookie(resp, setting.CSRFCookieName, "",
+		-1,
+		setting.AppSubURL,
+		setting.SessionConfig.Domain,
+		setting.SessionConfig.Secure,
+		true,
+		middleware.SameSiteString(setting.SessionConfig.SameSite))
 }

Diff for: modules/context/auth.go

@@ -9,6 +9,7 @@ import (
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web/middleware"
 )
 
 // ToggleOptions contains required or check options
@@ -41,7 +42,10 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
 					ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
 					ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
 					if ctx.Req.URL.Path != "/user/events" {
-						ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
+						ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(),
+							0,
+							setting.AppSubURL,
+							middleware.SameSiteString("lax")) // TODO: I think this is correct!
 					}
 					ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
 					return
@@ -69,7 +73,10 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
 		if options.SignInRequired {
 			if !ctx.IsSigned {
 				if ctx.Req.URL.Path != "/user/events" {
-					ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
+					ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(),
+						0,
+						setting.AppSubURL,
+						middleware.SameSiteString("lax")) // TODO: I think this is correct!
 				}
 				ctx.Redirect(setting.AppSubURL + "/user/login")
 				return
@@ -84,7 +91,10 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
 		if !options.SignOutRequired && !ctx.IsSigned &&
 			len(ctx.GetCookie(setting.CookieUserName)) > 0 {
 			if ctx.Req.URL.Path != "/user/events" {
-				ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
+				ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(),
+					0,
+					setting.AppSubURL,
+					middleware.SameSiteString("lax")) // TODO: I think this is correct!
 			}
 			ctx.Redirect(setting.AppSubURL + "/user/login")
 			return

Diff for: modules/context/context.go

@@ -524,6 +524,14 @@ func SignedUserName(req *http.Request) string {
 }
 
 func getCsrfOpts() CsrfOptions {
+	sameSite := http.SameSiteStrictMode
+	switch strings.ToLower(setting.SessionConfig.SameSite) {
+	case "none":
+		sameSite = http.SameSiteNoneMode
+	case "lax":
+		sameSite = http.SameSiteLaxMode
+	}
+
 	return CsrfOptions{
 		Secret:         setting.SecretKey,
 		Cookie:         setting.CSRFCookieName,
@@ -533,6 +541,7 @@ func getCsrfOpts() CsrfOptions {
 		Header:         "X-Csrf-Token",
 		CookieDomain:   setting.SessionConfig.Domain,
 		CookiePath:     setting.SessionConfig.CookiePath,
+		SameSite:       sameSite,
 	}
 }
 
@@ -597,7 +606,7 @@ func Contexter() func(next http.Handler) http.Handler {
 						middleware.Domain(setting.SessionConfig.Domain),
 						middleware.HTTPOnly(true),
 						middleware.Secure(setting.SessionConfig.Secure),
-						//middlewares.SameSite(opt.SameSite), FIXME: we need a samesite config
+						middleware.SameSiteString(setting.SessionConfig.SameSite),
 					)
 					return
 				}
@@ -607,7 +616,7 @@ func Contexter() func(next http.Handler) http.Handler {
 					middleware.Domain(setting.SessionConfig.Domain),
 					middleware.HTTPOnly(true),
 					middleware.Secure(setting.SessionConfig.Secure),
-					//middleware.SameSite(), FIXME: we need a samesite config
+					middleware.SameSiteString(setting.SessionConfig.SameSite),
 				)
 			})
 

Diff for: modules/setting/session.go

@@ -31,10 +31,13 @@ var (
 		Secure bool
 		// Cookie domain name. Default is empty.
 		Domain string
+		// SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "strict"
+		SameSite string
 	}{
 		CookieName:  "i_like_gitea",
 		Gclifetime:  86400,
 		Maxlifetime: 86400,
+		SameSite:    "strict",
 	}
 )
 
@@ -52,6 +55,7 @@ func newSessionService() {
 	SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)
 	SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)
 	SessionConfig.Domain = sec.Key("DOMAIN").String()
+	SessionConfig.SameSite = sec.Key("SAME_SITE").In("strict", []string{"none", "lax", "strict"})
 
 	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	shadowConfig, err := json.Marshal(SessionConfig)

Diff for: modules/web/middleware/cookie.go

@@ -8,6 +8,7 @@ package middleware
 import (
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"code.gitea.io/gitea/modules/setting"
@@ -63,6 +64,20 @@ func SameSite(sameSite http.SameSite) func(*http.Cookie) {
 	}
 }
 
+// SameSiteString sets the SameSite for a provided cookie
+func SameSiteString(sameSite string) func(*http.Cookie) {
+	return func(c *http.Cookie) {
+		switch strings.ToLower(sameSite) {
+		case "none":
+			c.SameSite = http.SameSiteNoneMode
+		case "lax":
+			c.SameSite = http.SameSiteLaxMode
+		default:
+			c.SameSite = http.SameSiteStrictMode
+		}
+	}
+}
+
 // NewCookie creates a cookie
 func NewCookie(name, value string, maxAge int) *http.Cookie {
 	return &http.Cookie{

Diff for: modules/web/middleware/locale.go

@@ -7,6 +7,7 @@ package middleware
 import (
 	"net/http"
 
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/translation"
 
 	"github.com/unknwon/i18n"
@@ -42,7 +43,13 @@ func Locale(resp http.ResponseWriter, req *http.Request) translation.Locale {
 	}
 
 	if changeLang {
-		SetCookie(resp, "lang", lang, 1<<31-1)
+		SetCookie(resp, "lang", lang,
+			nil,
+			setting.AppSubURL,
+			setting.SessionConfig.Domain,
+			setting.SessionConfig.Secure,
+			true,
+			SameSiteString(setting.SessionConfig.SameSite))
 	}
 
 	return translation.NewLocale(lang)

Diff for: routers/user/auth.go

@@ -24,6 +24,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/routers/utils"
 	"code.gitea.io/gitea/services/externalaccount"
 	"code.gitea.io/gitea/services/mailer"
@@ -64,8 +65,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 	defer func() {
 		if !isSucceed {
 			log.Trace("auto-login cookie cleared: %s", uname)
-			ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
-			ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+			ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+			ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 		}
 	}()
 
@@ -95,7 +96,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 		return false, err
 	}
 
-	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 	return true, nil
 }
 
@@ -109,13 +110,13 @@ func checkAutoLogin(ctx *context.Context) bool {
 
 	redirectTo := ctx.Query("redirect_to")
 	if len(redirectTo) > 0 {
-		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 	} else {
 		redirectTo = ctx.GetCookie("redirect_to")
 	}
 
 	if isSucceed {
-		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 		ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
 		return true
 	}
@@ -497,9 +498,9 @@ func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
 func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
 	if remember {
 		days := 86400 * setting.LogInRememberDays
-		ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+		ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 		ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
-			setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+			setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 	}
 
 	_ = ctx.Session.Delete("openid_verified_uri")
@@ -530,10 +531,10 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 		}
 	}
 
-	ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+	ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 
 	// Clear whatever CSRF has right now, force to generate a new one
-	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 
 	// Register last login
 	u.SetLastLogin()
@@ -543,7 +544,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 	}
 
 	if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
-		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 		if obeyRedirect {
 			ctx.RedirectToFirst(redirectTo)
 		}
@@ -649,7 +650,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
 		}
 
 		// Clear whatever CSRF has right now, force to generate a new one
-		ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+		ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 
 		// Register last login
 		u.SetLastLogin()
@@ -664,7 +665,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
 		}
 
 		if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
-			ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+			ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 			ctx.RedirectToFirst(redirectTo)
 			return
 		}
@@ -1042,11 +1043,11 @@ func LinkAccountPostRegister(ctx *context.Context) {
 func HandleSignOut(ctx *context.Context) {
 	_ = ctx.Session.Flush()
 	_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
-	ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
-	ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
-	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
-	ctx.SetCookie("lang", "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
-	ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)                                                            // logout default should set redirect to to default
+	ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+	ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+	ctx.SetCookie("lang", "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite)) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
+	ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)                                                                                                                       // logout default should set redirect to to default
 }
 
 // SignOut sign out from login status

Diff for: routers/user/auth_openid.go

@@ -20,6 +20,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/mailer"
 )
 
@@ -47,13 +48,13 @@ func SignInOpenID(ctx *context.Context) {
 
 	redirectTo := ctx.Query("redirect_to")
 	if len(redirectTo) > 0 {
-		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 	} else {
 		redirectTo = ctx.GetCookie("redirect_to")
 	}
 
 	if isSucceed {
-		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 		ctx.RedirectToFirst(redirectTo)
 		return
 	}

Diff for: routers/user/setting/profile.go

@@ -21,6 +21,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/modules/web/middleware"
 
 	"github.com/unknwon/i18n"
 )
@@ -116,7 +117,7 @@ func ProfilePost(ctx *context.Context) {
 	}
 
 	// Update the language to the one we just set
-	ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+	ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
 
 	log.Trace("User settings updated: %s", ctx.User.Name)
 	ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success"))