Comments (6)
You are right, Strict
mode implies higher security rules which might have potential drawbacks. It prevents the browser from attaching any cookies to cross-site requests. For instance here, it prevented the browser from attaching any cookies you had for LastFM to the request (so you were not considered as logged in when the request arrived).
Lax
provides a reasonable level of protection by preventing the browser from attaching any cookies to requests based on unsafe HTTP methods only (like POST). Thus I think it is judicious to switch to SameSite=Lax
.
from gonic.
EDIT: maybe would it make sense to not set Secure? a lot of people don't run gonic with HTTPS in front
If people run Gonic with HTTP, it makes sense indeed to skip the Secure
flag at the application level. However, for people concerned about this flag, a workaround could be to set it at the web server level. For instance with nginx
, one could adapt the configuration sample provided in README.md by using the proxy_cookie_path directive as such:
location / {
# Workaround to set the cookie Secure flag:
proxy_cookie_path / "/; secure"
proxy_pass http://localhost:4747/;
# set X-Forwarded-Host for last.fm connection callback
proxy_set_header X-Forwarded-Host $host;
}
Should this be added to the documentation?
from gonic.
hey thank you for that
here is where i'm at currently:
with a simple enough change
diff --git a/server/ctrladmin/ctrl.go b/server/ctrladmin/ctrl.go
index 7f131af..a75a4a0 100644
--- a/server/ctrladmin/ctrl.go
+++ b/server/ctrladmin/ctrl.go
@@ -98,11 +98,15 @@ func New(base *ctrlbase.Controller) *Controller {
})
tmplBase = extendFromPaths(tmplBase, prefixPartials)
tmplBase = extendFromPaths(tmplBase, prefixLayouts)
+ sessDB := gormstore.New(base.DB.DB, sessionKey)
+ sessDB.SessionOpts.Secure = true
+ sessDB.SessionOpts.HttpOnly = true
+ sessDB.SessionOpts.SameSite = http.SameSiteStrictMode
return &Controller{
Controller: base,
buffPool: bpool.NewBufferPool(64),
templates: pagesFromPaths(tmplBase, prefixPages),
- sessDB: gormstore.New(base.DB.DB, sessionKey),
+ sessDB: sessDB,
}
}
EDIT: maybe would it make sense to not set Secure? a lot of people don't run gonic with HTTPS in front
from gonic.
hey thank you for that
No worries and thank you so much for working on this great streaming server and sharing it.
here is where i'm at currently:
Looks great, good job!
EDIT: maybe would it make sense to not set Secure? a lot of people don't run gonic with HTTPS in front
Then it makes sense indeed to skip Secure
. As a consequence it is not worth working on prefixes since they rely on this flag.
from gonic.
thanks for the kind words :)
from gonic.
had another little look. it seems that last.fm "linking" doesnt work with SameSite=Strict
if you're not familiar with the last.fm thing: in the gonic ui you click "link" to connect with lastfm. you're redirected to https://last.fm/whatever?cb=https://gonic.your.server/admin/link_lastfm_do
(last.fm redirects you back to gonic with a token, then gonic stores the token)
however, it does work with a SameSite=Lax
what would you recommend here?
from gonic.
Related Issues (20)
- About the files stored in the /covers directory HOT 5
- Support for non-numeric tracknumbers tags HOT 1
- Support track artists in getArtist & getArtistInfo2 HOT 1
- REQ: Server-side playlist import? HOT 24
- List of not supported files on path HOT 8
- getBookmarks API should return single entry for each bookmark, not an array HOT 2
- [Feature Request] Turn off artist art HOT 1
- Help on TCP SEW Dump HOT 3
- Forgotten Password HOT 1
- Feature request: Support for wav files (at least for directory browsing) HOT 3
- [Feature] m-TAGS support
- Bookmark should return a denormalized entry
- allow getCoverArt.view to be used without authentication HOT 3
- Support for "external player with playlist" HOT 8
- Support for Custom Transcoders HOT 3
- safeFilename addition in podcasts.go breaks existing podcasts and episodes
- If Gonic can't locate cover/folder.jpg in a folder, use the first image from that folder instead HOT 5
- Jukebox mode not working for current version of Ultrasonic HOT 1
- Unknown Albums/Artists HOT 1
- Gonic fails to scan tags in OGG Vorbis file HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gonic.