CRSF with Sec-Fetch-Site=same-site falls back to legacy token

Author: aldas

middleware/csrf.go

@@ -291,13 +291,13 @@ func (config CSRFConfig) checkSecFetchSiteRequest(c echo.Context) (bool, error)
 	}
 	// we are here when request is state-changing and `cross-site` or `same-site`
 
-	// Note: if you want to allow `same-site` use config.TrustedOrigins or `config.AllowSecFetchSiteFunc`
+	// Note: if you want to block `same-site` use config.TrustedOrigins or `config.AllowSecFetchSiteFunc`
 	if config.AllowSecFetchSiteFunc != nil {
 		return config.AllowSecFetchSiteFunc(c)
 	}
 
 	if secFetchSite == "same-site" {
-		return false, echo.NewHTTPError(http.StatusForbidden, "same-site request blocked by CSRF")
+		return false, nil // fall back to legacy token
 	}
 	return false, echo.NewHTTPError(http.StatusForbidden, "cross-site request blocked by CSRF")
 }

middleware/csrf_test.go

@@ -559,7 +559,7 @@ func TestCSRFConfig_checkSecFetchSiteRequest(t *testing.T) {
 			whenMethod:       http.MethodPost,
 			whenSecFetchSite: "same-site",
 			expectAllow:      false,
-			expectErr:        `code=403, message=same-site request blocked by CSRF`,
+			expectErr:        ``,
 		},
 		{
 			name:             "ok, unsafe POST + same-origin passes",
@@ -617,7 +617,7 @@ func TestCSRFConfig_checkSecFetchSiteRequest(t *testing.T) {
 			whenMethod:       http.MethodPut,
 			whenSecFetchSite: "same-site",
 			expectAllow:      false,
-			expectErr:        `code=403, message=same-site request blocked by CSRF`,
+			expectErr:        ``,
 		},
 		{
 			name:             "nok, unsafe DELETE + cross-site is blocked",
@@ -633,7 +633,7 @@ func TestCSRFConfig_checkSecFetchSiteRequest(t *testing.T) {
 			whenMethod:       http.MethodDelete,
 			whenSecFetchSite: "same-site",
 			expectAllow:      false,
-			expectErr:        `code=403, message=same-site request blocked by CSRF`,
+			expectErr:        ``,
 		},
 		{
 			name:             "nok, unsafe PATCH + cross-site is blocked",