[ARVADOS] updated: 2.1.0-197-g2c8b44cda
Git user
git at public.arvados.org
Wed Dec 9 14:38:37 UTC 2020
Summary of changes:
services/keep-web/handler.go | 1 +
1 file changed, 1 insertion(+)
via 2c8b44cdaefa4434eadbbe2cb24dabac8cc3bfa9 (commit)
from 8d39d92808607b59f2335c1251c480ac56ba7016 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 2c8b44cdaefa4434eadbbe2cb24dabac8cc3bfa9
Author: Tom Clegg <tom at tomclegg.ca>
Date: Wed Dec 9 09:34:14 2020 -0500
17202: Use explicit SameSite=Lax for 303-with-cookie.
This improves XSS protection on some browsers, including Safari and
Firefox for Android.
On most browsers, Lax is already the default.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 8e4274038..2d6fb78f8 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -773,6 +773,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
Value: auth.EncodeTokenCookie([]byte(formToken)),
Path: "/",
HttpOnly: true,
+ SameSite: http.SameSiteLaxMode,
})
}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list