Replace CSRF cookie with CrossOriginProtection#36183
Conversation
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/go
github-actions
bot
added
the
docs-update-needed
silverwind
changed the title
CrossOriginProtection
silverwind
changed the title
CrossOriginProtectionCrossOriginProtection
|
Test failures need investigation. I think I was quite thorough with this removal, |
silverwind
added
the
pr/breaking
|
Unexpectedly, the fix in 1eb058d worked to fix the last issue. I think there may be a underlying bug why this test is sensitive to a |
tests/integration/csrf_test.go
Outdated
There was a problem hiding this comment.
Maybe use a new test for CrossOriginProtection
There was a problem hiding this comment.
Yes I would still like to add a integration test that leverages Sec-Fetch-Site to validate this protection.
"breaking" usually means end users or site admins must do something, or experience something totally different. But for this one, I think it isn't really "breaking". WDYT? And, the TODOs are not necessary (or, we shouldn't "add additional trusted origins", there is no such use case) |
GiteaBot
added
the
lgtm/need 2
|
I think the cors handler could indicate in the request context that it had a match with a boolean flag, and then the COP handler could act on that flag and be disabled. |
|
I'm not sure your AI answer is right. Go's protection relies on So I'd lean towards having all endpoints protected, without exception. Restrictions can be relaxed later if issues are demonstrated. I will push again the full strict settings. |
AI's answer is right, I asked a general question.
That's Golang's implementation. And you MUST make CrossOriginProtection work with CORS config, but not just make a new default CrossOriginProtection. 
|
|
I don't mind having unprotected CORS routes but that AI answer seems nonsensical to me:
My understanding is that all requests, including CORS preflights will send one of 
|
See my comment above. "CrossOriginProtection" must accept (trust) that origin, if I understand correctly. |
|
I've read a bit more on these topics, these seem like good resources: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html From what I gather, these header checks alone are not recommended, but header checks combined with a SameSite cookie (lax or strict) is recommended as adequate protection. |
GiteaBot
added
lgtm/need 1
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
GiteaBot
added
lgtm/done
* giteaofficial/main: Fix panic when get editor config file (go-gitea#36241) Refactor compare router param parse (go-gitea#36105) [skip ci] Updated translations via Crowdin Use flatten translation keys (go-gitea#36225) Replace CSRF cookie with `CrossOriginProtection` (go-gitea#36183) Remove fomantic form module (go-gitea#36222) Fix panic in blame view when a file has only a single commit (go-gitea#36230) fix: spelling error in migrate-storage cmd utility (go-gitea#36226) # Conflicts: # templates/user/settings/security/twofa.tmpl
5 participants
Removes the CSRF cookie in favor of
CrossOriginProtectionwhich relies purely on HTTP headers.Fixes: #11188
Fixes: #30333
Helps: #35107
TODOs: