From 8362bf7f637375cedc0f695046bddaf6166571c6 Mon Sep 17 00:00:00 2001
From: Arne Luenser <arne.luenser@ory.sh>
Date: Wed, 13 Sep 2023 16:18:11 +0200
Subject: [PATCH] fix: ignore more cloudflare cookies

---
 selfservice/flow/request.go      | 3 ++-
 selfservice/flow/request_test.go | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/selfservice/flow/request.go b/selfservice/flow/request.go
index 1fe427c5b4fe..6db872f43199 100644
--- a/selfservice/flow/request.go
+++ b/selfservice/flow/request.go
@@ -53,9 +53,10 @@ func EnsureCSRF(
 		}
 
 		// Workaround for Cloudflare setting cookies that we can't control.
+		// https://developers.cloudflare.com/fundamentals/reference/policies-compliances/cloudflare-cookies/
 		var cookies []string
 		for _, c := range r.Cookies() {
-			if !strings.HasPrefix(c.Name, "__cf") {
+			if !(strings.HasPrefix(c.Name, "__cf") || strings.HasPrefix(c.Name, "_cf") || strings.HasPrefix(c.Name, "cf_")) {
 				cookies = append(cookies, c.Name)
 			}
 		}
diff --git a/selfservice/flow/request_test.go b/selfservice/flow/request_test.go
index 477baae11810..adc47f6149c9 100644
--- a/selfservice/flow/request_test.go
+++ b/selfservice/flow/request_test.go
@@ -47,7 +47,7 @@ func TestVerifyRequest(t *testing.T) {
 
 	// Cloudflare
 	require.NoError(t, flow.EnsureCSRF(reg, &http.Request{
-		Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7"}},
+		Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7", "_cfuvid=blub", "cf_clearance=bla"}},
 	}, flow.TypeAPI, false, x.FakeCSRFTokenGenerator, ""), "should ignore Cloudflare cookies")
 	require.NoError(t, flow.EnsureCSRF(reg, &http.Request{
 		Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7; __cfruid=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7"}},