From 14cd16f1f81da03bed0483eab7214873041eb95c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E1=B4=9C=C9=B4=E1=B4=8B=C9=B4=E1=B4=A1=E1=B4=8F=C9=B4?=
 <u@gogs.io>
Date: Fri, 27 Mar 2020 00:08:46 +0800
Subject: [PATCH] csrf: set cookie HttpOnly and Secure (#6013)

---
 internal/cmd/web.go | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/internal/cmd/web.go b/internal/cmd/web.go
index 3ef925f4b..040674277 100644
--- a/internal/cmd/web.go
+++ b/internal/cmd/web.go
@@ -153,11 +153,14 @@ func newMacaron() *macaron.Macaron {
 		Secure:         conf.Session.CookieSecure,
 	}))
 	m.Use(csrf.Csrfer(csrf.Options{
-		Secret:     conf.Security.SecretKey,
-		Cookie:     conf.Session.CSRFCookieName,
-		SetCookie:  true,
-		Header:     "X-Csrf-Token",
-		CookiePath: conf.Server.Subpath,
+		Secret:         conf.Security.SecretKey,
+		Header:         "X-Csrf-Token",
+		Cookie:         conf.Session.CSRFCookieName,
+		CookieDomain:   conf.Server.URL.Hostname(),
+		CookiePath:     conf.Server.Subpath,
+		CookieHttpOnly: true,
+		SetCookie:      true,
+		Secure:         conf.Server.URL.Scheme == "https",
 	}))
 	m.Use(toolbox.Toolboxer(m, toolbox.Options{
 		HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{
@@ -412,9 +415,7 @@ func runWeb(c *cli.Context) error {
 					Post(bindIgnErr(form.UpdateOrgSetting{}), org.SettingsPost)
 				m.Post("/avatar", binding.MultipartForm(form.Avatar{}), org.SettingsAvatar)
 				m.Post("/avatar/delete", org.SettingsDeleteAvatar)
-
 				m.Group("/hooks", webhookRoutes)
-
 				m.Route("/delete", "GET,POST", org.SettingsDelete)
 			})