Skip to content

The CSRF cookie is not set when opening a page through an iframe #1523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 tasks done
pr0head opened this issue Mar 4, 2020 · 5 comments · Fixed by #1524
Closed
3 tasks done

The CSRF cookie is not set when opening a page through an iframe #1523

pr0head opened this issue Mar 4, 2020 · 5 comments · Fixed by #1524

Comments

@pr0head
Copy link
Contributor

pr0head commented Mar 4, 2020

Issue Description

There is no way to change SameSite mode when setting CSRF cookies.

Checklist

  • Dependencies installed
  • No typos
  • Searched existing issues and docs

Expected behaviour

Successfully setting CSRF cookie when opening a page through an iframe.

Actual behaviour

Cannot install CSRF via iframe. The browser reports an error:
This set-cookie didn't specify a SameSite attribute and was defaulted to SameSite=Lax and broke the same rules specified in the SameSiteLax value.

Steps to reproduce

Activate the SameSite experimental mode in Google Chrome (which will be turned on by default soon) and try to open the page through the iframe.

How to enable: https://www.chromium.org/updates/same-site/test-debug
What is a problem: https://web.dev/samesite-cookies-explained/

Working code to debug

server.Echo.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
	TokenLookup: "header:X-XSRF-TOKEN",
	CookieName:  "_csrf",
}))

Version/commit

v4.1.15
@fullfs
Copy link

fullfs commented Mar 18, 2020

Having the same problem

@stale
Copy link

stale bot commented May 17, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label May 17, 2020
@stale stale bot closed this as completed May 24, 2020
@segevfiner
Copy link
Contributor

segevfiner commented Oct 4, 2020
edited
Loading

I'm hitting this too, this should be reopened... It's likely it was just not even looked at and got closed by the stale bot. God I hate auto close issues and PR bots, always feels like a way to just ignore issues so they go away and should really only apply to issues/PRs where the owner of them disappeared

@ensarturko
Copy link

I have the same problem as well

@PatrLind
Copy link

PatrLind commented Dec 2, 2020

Firefox now gives this warning:

Some cookies are misusing the recommended “SameSite“ attribute

Cookie “_csrf” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

@pafuent pafuent reopened this Dec 3, 2020
@stale stale bot removed the wontfix label Dec 3, 2020
pr0head added a commit to pr0head/echo that referenced this issue Dec 3, 2020
@pr0head
Fix labstack#1523 by adding secure cookie if SameSite mode is None
dc147d9
@lammel lammel linked a pull request Dec 15, 2020 that will close this issue
Fix #1523 by adding SameSite mode for CSRF settings #1524
Merged
@lammel lammel closed this as completed in 8b2c77b Jan 3, 2021
@pafuent pafuent mentioned this issue Jan 5, 2021
Open
@mkurz mkurz mentioned this issue Apr 6, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #1523 by adding SameSite mode for CSRF settings pr0head/echo
6 participants
@ensarturko @PatrLind @pafuent @pr0head @fullfs @segevfiner