From b6bd878f276f762ab816e10eb40a55e9147e7eca Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Tue, 18 Apr 2017 20:33:50 -0700 Subject: [PATCH] Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies if the `__Host-` prefix is used (https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2). There's no need to set it to the host by default, so make it optional. If it is set to a non-empty value, still output a warning if it is not a suffix of the host, as that's likely not wanted. Fixes #352. --- README.md | 2 +- oauthproxy.go | 17 ++++++----------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index be73f36..093a981 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,7 @@ Usage of oauth2_proxy: -client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com" -client-secret string: the OAuth Client Secret -config string: path to config file - -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)* + -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com) -cookie-expire duration: expire timeframe for cookie (default 168h0m0s) -cookie-httponly: set HttpOnly cookie flag (default true) -cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy") diff --git a/oauthproxy.go b/oauthproxy.go index dd2b58e..1c62aa8 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -155,16 +155,12 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy { redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix) log.Printf("OAuthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID) - domain := opts.CookieDomain - if domain == "" { - domain = "" - } refresh := "disabled" if opts.CookieRefresh != time.Duration(0) { refresh = fmt.Sprintf("after %s", opts.CookieRefresh) } - log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain, refresh) + log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, opts.CookieDomain, refresh) var cipher *cookie.Cipher if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) { @@ -267,22 +263,21 @@ func (p *OAuthProxy) MakeCSRFCookie(req *http.Request, value string, expiration } func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, expiration time.Duration, now time.Time) *http.Cookie { - domain := req.Host - if h, _, err := net.SplitHostPort(domain); err == nil { - domain = h - } if p.CookieDomain != "" { + domain := req.Host + if h, _, err := net.SplitHostPort(domain); err == nil { + domain = h + } if !strings.HasSuffix(domain, p.CookieDomain) { log.Printf("Warning: request host is %q but using configured cookie domain of %q", domain, p.CookieDomain) } - domain = p.CookieDomain } return &http.Cookie{ Name: name, Value: value, Path: "/", - Domain: domain, + Domain: p.CookieDomain, HttpOnly: p.CookieHttpOnly, Secure: p.CookieSecure, Expires: now.Add(expiration),