From f5323e0eecffbf3bb5950aa26d1430b1e735d23b Mon Sep 17 00:00:00 2001 From: Lakhan Samani Date: Wed, 28 Sep 2022 10:36:56 +0530 Subject: [PATCH] fix(server): update comments for host & cookies --- server/cookie/cookie.go | 2 ++ server/parsers/url.go | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/server/cookie/cookie.go b/server/cookie/cookie.go index 5bb1996..efc8885 100644 --- a/server/cookie/cookie.go +++ b/server/cookie/cookie.go @@ -30,6 +30,8 @@ func SetSession(gc *gin.Context, sessionID string) { } // Use sameSite = lax by default + // Since app cookie can come from cross site it becomes important to set this in lax mode. + // Example person using custom UI on their app domain and making request to authorizer domain. // For more information check: // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite // https://github.com/gin-gonic/gin/blob/master/context.go#L86 diff --git a/server/parsers/url.go b/server/parsers/url.go index 315dc0e..c98ad54 100644 --- a/server/parsers/url.go +++ b/server/parsers/url.go @@ -11,8 +11,8 @@ import ( ) // GetHost returns hostname from request context -// if X-Authorizer-URL header is set it is given highest priority -// if EnvKeyAuthorizerURL is set it is given second highest priority. +// if EnvKeyAuthorizerURL is set it is given highest priority. +// if X-Authorizer-URL header is set it is given second highest priority // if above 2 are not set the requesting host name is used func GetHost(c *gin.Context) string { authorizerURL, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL)