Skip to content
This repository has been archived by the owner on Nov 20, 2018. It is now read-only.

Adding SameSite attribute to SetCookies header #843

Merged
merged 1 commit into from
May 22, 2017
Merged

Adding SameSite attribute to SetCookies header #843

merged 1 commit into from
May 22, 2017

Conversation

JunTaoLuo
Copy link
Contributor

Addresses #710, will also update the CookiesPolicyMiddleware in Security.

@JunTaoLuo JunTaoLuo requested a review from Tratcher May 18, 2017 22:24
JunTaoLuo
JunTaoLuo commented May 18, 2017
View reviewed changes
src/Microsoft.AspNetCore.Http/Internal/ResponseCookies.cs Outdated
@@ -130,5 +131,20 @@ public void Delete(string key, CookieOptions options)
Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
});
}

private Net.Http.Headers.SameSiteEnforcementMode ConvertSameSiteEnforcementMode(SameSiteEnforcementMode sameSite)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a fan of the duplication since the two enums will need conversion.

cesarblum
cesarblum reviewed May 18, 2017
View reviewed changes
src/Microsoft.Net.Http.Headers/SameSiteEnforcementMode.cs Outdated

namespace Microsoft.Net.Http.Headers
{
public enum SameSiteEnforcementMode
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you need this in two different places?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Features and Net.Http.Headers cannot depend on each other.

src/Microsoft.Net.Http.Headers/SetCookieHeaderValue.cs Outdated
@@ -17,6 +17,9 @@ public class SetCookieHeaderValue
private const string DomainToken = "domain";
private const string PathToken = "path";
private const string SecureToken = "secure";
private const string SameSiteToken = "samesite";
private static readonly string SameSiteLaxToken = SameSiteEnforcementMode.Lax.ToString();
private static readonly string SameSiteStrictToken = SameSiteEnforcementMode.Strict.ToString();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ToLower() for consistency with other tokens?

Tratcher
Tratcher approved these changes May 18, 2017
View reviewed changes
src/Microsoft.AspNetCore.Http.Features/SameSiteEnforcementMode.cs Outdated

namespace Microsoft.AspNetCore.Http
{
public enum SameSiteEnforcementMode
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

// This mirrors Microsoft.Net.Http.Headers.SameSiteEnforcementMode

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SameSiteMode?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Link to the RFC?

src/Microsoft.Net.Http.Headers/SetCookieHeaderValue.cs Outdated
@@ -17,6 +17,9 @@ public class SetCookieHeaderValue
private const string DomainToken = "domain";
private const string PathToken = "path";
private const string SecureToken = "secure";
private const string SameSiteToken = "samesite";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RFC link

@JunTaoLuo JunTaoLuo force-pushed the johluo/samesite branch 5 times, most recently from 7ce2948 to 2b60dbc Compare May 19, 2017 01:15
@JunTaoLuo JunTaoLuo mentioned this pull request May 19, 2017
Merged
JunTaoLuo
JunTaoLuo commented May 20, 2017
View reviewed changes
src/Microsoft.AspNetCore.Http.Features/CookieOptions.cs Outdated
/// Gets or sets the value for the SameSite attribute of the cookie.
/// </summary>
/// <returns>The <see cref="SameSiteEnforcementMode"/> representing the enforcement mode of the cookie.</returns>
public SameSiteEnforcementMode SameSite { get; set; }
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blowdart should the default be strict?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup

Tratcher
Tratcher reviewed May 22, 2017
View reviewed changes
src/Microsoft.AspNetCore.Http.Features/SameSiteEnforcementMode.cs Outdated
{
// RFC Draft: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
// This mirrors Microsoft.Net.Http.Headers.SameSiteEnforcementMode
public enum SameSiteEnforcementMode
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SameSiteMode?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed

@Tratcher
Copy link
Member

:shipit:

@JunTaoLuo JunTaoLuo merged commit e8123db into dev May 22, 2017
@JunTaoLuo JunTaoLuo deleted the johluo/samesite branch May 22, 2017 21:43
This was referenced May 31, 2017
Merged
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@blowdart blowdart blowdart left review comments

@cesarblum cesarblum cesarblum left review comments

@Tratcher Tratcher Tratcher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JunTaoLuo @Tratcher @blowdart @cesarblum @dnfclas