[ARVADOS] updated: 2.1.0-197-g2c8b44cda

Git user git at public.arvados.org
Wed Dec 9 14:38:37 UTC 2020


Summary of changes:
 services/keep-web/handler.go | 1 +
 1 file changed, 1 insertion(+)

       via  2c8b44cdaefa4434eadbbe2cb24dabac8cc3bfa9 (commit)
      from  8d39d92808607b59f2335c1251c480ac56ba7016 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 2c8b44cdaefa4434eadbbe2cb24dabac8cc3bfa9
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Wed Dec 9 09:34:14 2020 -0500

    17202: Use explicit SameSite=Lax for 303-with-cookie.
    
    This improves XSS protection on some browsers, including Safari and
    Firefox for Android.
    
    On most browsers, Lax is already the default.
    
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 8e4274038..2d6fb78f8 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -773,6 +773,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 			Value:    auth.EncodeTokenCookie([]byte(formToken)),
 			Path:     "/",
 			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
 		})
 	}
 

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list