mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-13 03:19:08 +09:00
0fdff0c79b
setCSRFCookie set no SameSite attribute despite a nolint comment claiming it did, so the OIDC state/nonce cookies relied on the browser default. Set Lax explicitly (Strict would drop the cookie on the cross-site IdP->callback navigation and break login), hardening browsers that do not default to Lax against OIDC login CSRF.