login - Add SameSite: None to all cookies.
https://web.dev/samesite-cookies-explained/
If we don't add this then in a future Chrome release
any Skia site that uses skia.org as the point of login
(which is almost all of them) will fail to work.
Change-Id: I4b90a93c4827429daf744109880bdb9b44d912bb
Reviewed-on: https://skia-review.googlesource.com/c/buildbot/+/303578
Commit-Queue: Joe Gregorio <jcgregorio@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
diff --git a/go/login/login.go b/go/login/login.go
index d03178a..8e9f699 100644
--- a/go/login/login.go
+++ b/go/login/login.go
@@ -236,6 +236,8 @@
Domain: domainFromHost(r.Host),
HttpOnly: true,
Expires: time.Now().Add(365 * 24 * time.Hour),
+ SameSite: http.SameSiteNoneMode,
+ Secure: true,
}
http.SetCookie(w, cookie)
} else {
@@ -433,6 +435,8 @@
Domain: domainFromHost(r.Host),
HttpOnly: true,
Expires: time.Now().Add(365 * 24 * time.Hour),
+ SameSite: http.SameSiteNoneMode,
+ Secure: true,
}, nil
}
diff --git a/go/login/login_test.go b/go/login/login_test.go
index 3ef72c0..7b57708 100644
--- a/go/login/login_test.go
+++ b/go/login/login_test.go
@@ -27,6 +27,9 @@
}
url := LoginURL(w, r)
assert.Contains(t, w.HeaderMap.Get("Set-Cookie"), SESSION_COOKIE_NAME, "Session cookie should be set.")
+ assert.Contains(t, w.HeaderMap.Get("Set-Cookie"), "SameSite=None", "SameSite should be set.")
+ assert.Contains(t, w.HeaderMap.Get("Set-Cookie"), "Secure", "Secure should be set.")
+
assert.Contains(t, url, "approval_prompt=auto", "Not forced into prompt.")
cookie := &http.Cookie{
Name: SESSION_COOKIE_NAME,
