Merge pull request #1498 from aacapella/feature/same-site-cookies

SameSite cookie support
revel · Jul 10, 2020 · ff2da7e · ff2da7e
2 parents ff43c73 + c6c4c35
commit ff2da7e
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/flash.go b/flash.go
@@ -59,6 +59,7 @@ func FlashFilter(c *Controller, fc []Filter) {
 		Value:    url.QueryEscape(flashValue),
 		HttpOnly: true,
 		Secure:   CookieSecure,
+		SameSite: CookieSameSite,
 		Path:     "/",
 	})
 }

diff --git a/revel.go b/revel.go
@@ -6,6 +6,7 @@ package revel
 
 import (
 	"go/build"
+	"net/http"
 	"path/filepath"
 	"strings"
 
@@ -73,7 +74,8 @@ var (
 	// Cookie domain
 	CookieDomain string
 	// Cookie flags
-	CookieSecure bool
+	CookieSecure   bool
+	CookieSameSite http.SameSite
 
 	// Revel request access log, not exposed from package.
 	// However output settings can be controlled from app.conf
@@ -174,6 +176,18 @@ func Init(inputmode, importPath, srcPath string) {
 	CookiePrefix = Config.StringDefault("cookie.prefix", "REVEL")
 	CookieDomain = Config.StringDefault("cookie.domain", "")
 	CookieSecure = Config.BoolDefault("cookie.secure", HTTPSsl)
+
+	switch Config.StringDefault("cookie.samesite", "") {
+	case "lax":
+		CookieSameSite = http.SameSiteLaxMode
+	case "strict":
+		CookieSameSite = http.SameSiteStrictMode
+	case "none":
+		CookieSameSite = http.SameSiteNoneMode
+	default:
+		CookieSameSite = http.SameSiteDefaultMode
+	}
+
 	if secretStr := Config.StringDefault("app.secret", ""); secretStr != "" {
 		SetSecretKey([]byte(secretStr))
 	}

diff --git a/session_adapter_cookie.go b/session_adapter_cookie.go
@@ -136,6 +136,7 @@ func (cse *SessionCookieEngine) GetCookie(s session.Session) *http.Cookie {
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   CookieSecure,
+		SameSite: CookieSameSite,
 		Expires:  ts.UTC(),
 		MaxAge:   int(cse.ExpireAfterDuration.Seconds()),
 	}

diff --git a/validation.go b/validation.go
@@ -295,6 +295,7 @@ func ValidationFilter(c *Controller, fc []Filter) {
 				Path:     "/",
 				HttpOnly: true,
 				Secure:   CookieSecure,
+				SameSite: CookieSameSite,
 			})
 		} else if hasCookie {
 			c.SetCookie(&http.Cookie{
@@ -304,6 +305,7 @@ func ValidationFilter(c *Controller, fc []Filter) {
 				Path:     "/",
 				HttpOnly: true,
 				Secure:   CookieSecure,
+				SameSite: CookieSameSite,
 			})
 		}
 	}