From 37a825b810d34a84044d43bd1bed579fcdc31874 Mon Sep 17 00:00:00 2001 From: mo khan Date: Tue, 29 Apr 2025 09:27:53 -0600 Subject: feat: use same site strict mode > Strict causes the browser to only send the cookie in response to > requests originating from the cookie's origin site. This should be > used when you have cookies relating to functionality that will > always be behind an initial navigation, such as authentication or > storing shopping cart information. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#controlling_third-party_cookies_with_samesite --- pkg/web/cookie/cookie_test.go | 8 +++++--- pkg/web/cookie/new.go | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'pkg/web') diff --git a/pkg/web/cookie/cookie_test.go b/pkg/web/cookie/cookie_test.go index 9ac1817..f7f013d 100644 --- a/pkg/web/cookie/cookie_test.go +++ b/pkg/web/cookie/cookie_test.go @@ -1,6 +1,7 @@ package cookie import ( + "net/http" "testing" "time" @@ -13,9 +14,10 @@ func TestCookie(t *testing.T) { t.Run("returns a cookie pinned to the HOST", func(t *testing.T) { env.With(env.Vars{"HOST": "sparkle.example.com"}, func() { cookie := New("name", "value", time.Now().Add(1*time.Minute)) - assert.Equal(t, cookie.Domain, "sparkle.example.com") - assert.Equal(t, cookie.HttpOnly, true) - assert.Equal(t, cookie.Secure, true) + assert.Equal(t, "sparkle.example.com", cookie.Domain) + assert.Equal(t, true, cookie.HttpOnly) + assert.Equal(t, true, cookie.Secure) + assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite) }) }) }) diff --git a/pkg/web/cookie/new.go b/pkg/web/cookie/new.go index 335b305..d4d0700 100644 --- a/pkg/web/cookie/new.go +++ b/pkg/web/cookie/new.go @@ -16,7 +16,7 @@ func New(name, value string, expires time.Time) *http.Cookie { Path: "/", HttpOnly: true, Secure: true, - SameSite: http.SameSiteDefaultMode, + SameSite: http.SameSiteStrictMode, Domain: env.Fetch("HOST", "localhost"), } } -- cgit v1.2.3