Skip to content

Commit

Permalink
feature: Support SameSite option (#123)
Browse files Browse the repository at this point in the history
* Add SameSite with build constraied
* Update options test
* Fix after feedback
* Add docs
  • Loading branch information
tflyons authored and elithrar committed Oct 8, 2019
1 parent 7b29b05 commit 4b50158
Show file tree
Hide file tree
Showing 8 changed files with 360 additions and 2 deletions.
28 changes: 28 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ go get github.com/gorilla/csrf
- [HTML Forms](#html-forms)
- [JavaScript Apps](#javascript-applications)
- [Google App Engine](#google-app-engine)
- [Setting SameSite](#setting-samesite)
- [Setting Options](#setting-options)

gorilla/csrf is easy to use: add the middleware to your router with
Expand Down Expand Up @@ -267,6 +268,30 @@ Note: You can ignore this if you're using the
[second-generation](https://cloud.google.com/appengine/docs/go/) Go runtime
on App Engine (Go 1.11 and above).

### Setting SameSite

Go 1.11 introduced the option to set the SameSite attribute in cookies. This is
valuable if a developer wants to instruct a browser to not include cookies during
a cross site request. SameSiteStrictMode prevents all cross site requests from including
the cookie. SameSiteLaxMode prevents CSRF prone requests (POST) from including the cookie
but allows the cookie to be included in GET requests to support external linking.

```go
func main() {
CSRF := csrf.Protect(
[]byte("a-32-byte-long-key-goes-here"),
// instruct the browser to never send cookies during cross site requests
csrf.SameSite(csrf.SameSiteStrictMode),
)

r := mux.NewRouter()
r.HandleFunc("/signup", GetSignupForm)
r.HandleFunc("/signup/post", PostSignupForm)

http.ListenAndServe(":8000", CSRF(r))
}
```

### Setting Options

What about providing your own error handler and changing the HTTP header the
Expand Down Expand Up @@ -314,6 +339,9 @@ Getting CSRF protection right is important, so here's some background:
- Cookies are authenticated and based on the [securecookie](https://github.com/gorilla/securecookie)
library. They're also Secure (issued over HTTPS only) and are HttpOnly
by default, because sane defaults are important.
- Cookie SameSite attribute (prevents cookies from being sent by a browser
during cross site requests) are not set by default to maintain backwards compatibility
for legacy systems. The SameSite attribute can be set with the SameSite option.
- Go's `crypto/rand` library is used to generate the 32 byte (256 bit) tokens
and the one-time-pad used for masking them.

Expand Down
18 changes: 18 additions & 0 deletions csrf.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,22 @@ var (
ErrBadToken = errors.New("CSRF token invalid")
)

// SameSiteMode allows a server to define a cookie attribute making it impossible for
// the browser to send this cookie along with cross-site requests. The main
// goal is to mitigate the risk of cross-origin information leakage, and provide
// some protection against cross-site request forgery attacks.
//
// See https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 for details.
type SameSiteMode int

// SameSite options
const (
SameSiteDefaultMode SameSiteMode = iota + 1
SameSiteLaxMode
SameSiteStrictMode
SameSiteNoneMode
)

type csrf struct {
h http.Handler
sc *securecookie.SecureCookie
Expand All @@ -68,6 +84,7 @@ type options struct {
// http.Cookie field instead of the "correct" HTTPOnly name that golint suggests.
HttpOnly bool
Secure bool
SameSite SameSiteMode
RequestHeader string
FieldName string
ErrorHandler http.Handler
Expand Down Expand Up @@ -166,6 +183,7 @@ func Protect(authKey []byte, opts ...Option) func(http.Handler) http.Handler {
maxAge: cs.opts.MaxAge,
secure: cs.opts.Secure,
httpOnly: cs.opts.HttpOnly,
sameSite: cs.opts.SameSite,
path: cs.opts.Path,
domain: cs.opts.Domain,
sc: cs.sc,
Expand Down
23 changes: 23 additions & 0 deletions options.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,26 @@ func HttpOnly(h bool) Option {
}
}

// SameSite sets the cookie SameSite attribute. Defaults to blank to maintain
// backwards compatibility, however, Strict is recommended.
//
// SameSite(SameSiteStrictMode) will prevent the cookie from being sent by the
// browser to the target site in all cross-site browsing context, even when
// following a regular link (GET request).
//
// SameSite(SameSiteLaxMode) provides a reasonable balance between security and
// usability for websites that want to maintain user's logged-in session after
// the user arrives from an external link. The session cookie would be allowed
// when following a regular link from an external website while blocking it in
// CSRF-prone request methods (e.g. POST).
//
// This option is only available for go 1.11+.
func SameSite(s SameSiteMode) Option {
return func(cs *csrf) {
cs.opts.SameSite = s
}
}

// ErrorHandler allows you to change the handler called when CSRF request
// processing encounters an invalid token or request. A typical use would be to
// provide a handler that returns a static HTML file with a HTTP 403 status. By
Expand Down Expand Up @@ -132,6 +152,9 @@ func parseOptions(h http.Handler, opts ...Option) *csrf {
cs.opts.Secure = true
cs.opts.HttpOnly = true

// Default to blank to maintain backwards compatibility
cs.opts.SameSite = SameSiteDefaultMode

// Default; only override this if the package user explicitly calls MaxAge(0)
cs.opts.MaxAge = defaultAge

Expand Down
5 changes: 5 additions & 0 deletions options_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ func TestOptions(t *testing.T) {
Path(path),
HttpOnly(false),
Secure(false),
SameSite(SameSiteStrictMode),
RequestHeader(header),
FieldName(field),
ErrorHandler(http.HandlerFunc(errorHandler)),
Expand Down Expand Up @@ -53,6 +54,10 @@ func TestOptions(t *testing.T) {
t.Errorf("Secure not set correctly: got %v want %v", cs.opts.Secure, false)
}

if cs.opts.SameSite != SameSiteStrictMode {
t.Errorf("SameSite not set correctly: got %v want %v", cs.opts.SameSite, SameSiteStrictMode)
}

if cs.opts.RequestHeader != header {
t.Errorf("RequestHeader not set correctly: got %v want %v", cs.opts.RequestHeader, header)
}
Expand Down
4 changes: 4 additions & 0 deletions store.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
// +build go1.11

package csrf

import (
Expand Down Expand Up @@ -28,6 +30,7 @@ type cookieStore struct {
path string
domain string
sc *securecookie.SecureCookie
sameSite SameSiteMode
}

// Get retrieves a CSRF token from the session cookie. It returns an empty token
Expand Down Expand Up @@ -63,6 +66,7 @@ func (cs *cookieStore) Save(token []byte, w http.ResponseWriter) error {
MaxAge: cs.maxAge,
HttpOnly: cs.httpOnly,
Secure: cs.secure,
SameSite: http.SameSite(cs.sameSite),
Path: cs.path,
Domain: cs.domain,
}
Expand Down
86 changes: 86 additions & 0 deletions store_legacy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
// +build !go1.11
// file for compatibility with go versions prior to 1.11

package csrf

import (
"net/http"
"time"

"github.com/gorilla/securecookie"
)

// store represents the session storage used for CSRF tokens.
type store interface {
// Get returns the real CSRF token from the store.
Get(*http.Request) ([]byte, error)
// Save stores the real CSRF token in the store and writes a
// cookie to the http.ResponseWriter.
// For non-cookie stores, the cookie should contain a unique (256 bit) ID
// or key that references the token in the backend store.
// csrf.GenerateRandomBytes is a helper function for generating secure IDs.
Save(token []byte, w http.ResponseWriter) error
}

// cookieStore is a signed cookie session store for CSRF tokens.
type cookieStore struct {
name string
maxAge int
secure bool
httpOnly bool
path string
domain string
sc *securecookie.SecureCookie
sameSite SameSiteMode
}

// Get retrieves a CSRF token from the session cookie. It returns an empty token
// if decoding fails (e.g. HMAC validation fails or the named cookie doesn't exist).
func (cs *cookieStore) Get(r *http.Request) ([]byte, error) {
// Retrieve the cookie from the request
cookie, err := r.Cookie(cs.name)
if err != nil {
return nil, err
}

token := make([]byte, tokenLength)
// Decode the HMAC authenticated cookie.
err = cs.sc.Decode(cs.name, cookie.Value, &token)
if err != nil {
return nil, err
}

return token, nil
}

// Save stores the CSRF token in the session cookie.
func (cs *cookieStore) Save(token []byte, w http.ResponseWriter) error {
// Generate an encoded cookie value with the CSRF token.
encoded, err := cs.sc.Encode(cs.name, token)
if err != nil {
return err
}

cookie := &http.Cookie{
Name: cs.name,
Value: encoded,
MaxAge: cs.maxAge,
HttpOnly: cs.httpOnly,
Secure: cs.secure,
Path: cs.path,
Domain: cs.domain,
}

// Set the Expires field on the cookie based on the MaxAge
// If MaxAge <= 0, we don't set the Expires attribute, making the cookie
// session-only.
if cs.maxAge > 0 {
cookie.Expires = time.Now().Add(
time.Duration(cs.maxAge) * time.Second)
}

// Write the authenticated cookie to the response.
http.SetCookie(w, cookie)

return nil
}
Loading

0 comments on commit 4b50158

Please sign in to comment.