Implement anti csrf measures

This is done by using the "samesite" cookie attribute.

2 files changed, 36 insertions, 2 deletions

diff --git a/doc/source/config.rst b/doc/source/config.rst
index fc0df2d..c271403 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -115,6 +115,26 @@ It can either be ``enabled`` or ``disabled``.
   sp.auto_cookie_secure.enable();
   sp.auto_cookie_secure.disable();
 
+cookie_samesite
+^^^^^^^^^^^^^^^^
+ * `default: disabled`
+ 
+``samesite`` will add the `samesite <https://tools.ietf.org/html/draft-west-first-party-cookies-07>`_
+attribute to cookies. It `prevents CSRF <https://www.owasp.org/index.php/SameSite>`_
+but is not implemented by `all web browsers <https://caniuse.com/#search=samesite>`_ yet.
+
+It can either be set to ``strict`` or ``lax``:
+
+- The ``lax`` attribute prevents cookies from being sent cross-domain for
+  "dangerous" methods, like ``POST``, ``PUT`` or ``DELETE``.
+
+- The ``strict`` one prevents any cookies from beind sent cross-domain.
+
+::
+
+  sp.cookie.name("cookie1").samesite("lax");
+  sp.cookie.name("cookie2").samesite("strict");;
+
 .. _cookie-encryption_config:
 
 cookie_encryption
@@ -137,8 +157,8 @@ It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` m
 
 ::
 
-  sp.cookie_encryption.cookie("my_cookie_name");
-  sp.cookie_encryption.cookie("another_cookie_name");
+  sp.cookie.name("my_cookie_name").encrypt();
+  sp.cookie.name("another_cookie_name").encrypt();
 
 Choosing the proper environment variable
 """"""""""""""""""""""""""""""""""""""""
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 3643326..c4239e9 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -321,6 +321,20 @@ would be to use a different user to run PHP than for administrating the website,
 and using this feature to lock this up.
 
 
+Protection against cross site request forgery
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Cross-site request forgery, sometimes abbreviated as *CSRF*,
+is when unauthorised commands are issued from a user that the application trusts.
+For example, if a user is authenticated on a banking website,
+an other site might present something like 
+``<img src="http://mybank.com/transfer?from=user&to=attack&amount=1337EUR">``,
+effectivement transfering money from the user's account to the attacker one.
+
+Snuffleupagus can prevent this (in `supported browsers <https://caniuse.com/#search=samesite>`__)
+by setting the `samesite <https://tools.ietf.org/html/draft-west-first-party-cookies-07>`__
+attribute on cookies.
+
 
 Dumping capabilities
 ^^^^^^^^^^^^^^^^^^^^