Fix #1523 by adding secure cookie if SameSite mode is None

2025-07-13 01:30:31 +02:00 · 2020-12-03 10:21:31 +03:00
parent cb15226984
commit dc147d9b97
2 changed files with 43 additions and 2 deletions
--- a/middleware/csrf_test.go
+++ b/middleware/csrf_test.go
@ -1,6 +1,7 @@
 package middleware

 import (
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@ -117,3 +118,43 @@ func TestCSRFWithoutSameSiteMode(t *testing.T) {
 	assert.NoError(t, r)
 	assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
 }
+
+func TestCSRFWithSameSiteDefaultMode(t *testing.T) {
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	csrf := CSRFWithConfig(CSRFConfig{
+		CookieSameSite: http.SameSiteDefaultMode,
+	})
+
+	h := csrf(func(c echo.Context) error {
+		return c.String(http.StatusOK, "test")
+	})
+
+	r := h(c)
+	assert.NoError(t, r)
+	fmt.Println(rec.Header()["Set-Cookie"])
+	assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
+}
+
+func TestCSRFWithSameSiteModeNone(t *testing.T) {
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	csrf := CSRFWithConfig(CSRFConfig{
+		CookieSameSite: http.SameSiteNoneMode,
+	})
+
+	h := csrf(func(c echo.Context) error {
+		return c.String(http.StatusOK, "test")
+	})
+
+	r := h(c)
+	assert.NoError(t, r)
+	assert.Regexp(t, "SameSite=None", rec.Header()["Set-Cookie"])
+	assert.Regexp(t, "Secure", rec.Header()["Set-Cookie"])
+}