config: validate cookie_secure option (#4484)

Do not allow the combination of 'cookie_same_site: none' and 'cookie_secure: false'. Cookies with SameSite=None must also set the Secure option, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#none.
2025-05-19 03:57:17 +02:00 · 2023-08-23 10:43:01 -07:00 · 2023-08-23 10:43:01 -07:00 · 5a4acc5cd3
commit 5a4acc5cd3
parent c95f1695ec
2 changed files with 6 additions and 0 deletions
--- a/config/options.go
+++ b/config/options.go
@ -767,6 +767,8 @@ func (o *Options) Validate() error {

 	if err := ValidateCookieSameSite(o.CookieSameSite); err != nil {
 		return fmt.Errorf("config: invalid cookie_same_site: %w", err)
+	} else if !o.CookieSecure && o.GetCookieSameSite() == http.SameSiteNoneMode {
+		return errors.New("config: cannot use cookie_same_site: none with cookie_secure: false")
 	}

 	if err := ValidateLogLevel(o.LogLevel); err != nil {
--- a/config/options_test.go
+++ b/config/options_test.go
@ -62,6 +62,9 @@ func Test_Validate(t *testing.T) {
 	missingStorageDSN.DataBrokerStorageType = "redis"
 	badSignoutRedirectURL := testOptions()
 	badSignoutRedirectURL.SignOutRedirectURLString = "--"
+	badCookieSettings := testOptions()
+	badCookieSettings.CookieSameSite = "none"
+	badCookieSettings.CookieSecure = false

 	tests := []struct {
 		name     string
@ -76,6 +79,7 @@ func Test_Validate(t *testing.T) {
 		{"invalid databroker storage type", invalidStorageType, true},
 		{"missing databroker storage dsn", missingStorageDSN, true},
 		{"invalid signout redirect url", badSignoutRedirectURL, true},
+		{"CookieSameSite none with CookieSecure fale", badCookieSettings, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {