Quirks

Tratcher · Tratcher · commit 187f59e7be07 · 2019-10-08T14:53:18.000-07:00
diff --git a/src/Http/Http.Abstractions/src/CookieBuilder.cs b/src/Http/Http.Abstractions/src/CookieBuilder.cs
@@ -11,8 +11,20 @@ namespace Microsoft.AspNetCore.Http
     /// </summary>
     public class CookieBuilder
     {
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool SuppressSameSiteNone;
+
         private string _name;
 
+        static CookieBuilder()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.Net.Http.Headers.SetCookieHeaderValue.SuppressSameSiteNone", out var enabled))
+            {
+                SuppressSameSiteNone = enabled;
+            }
+        }
+
         /// <summary>
         /// The name of the cookie.
         /// </summary>
@@ -49,12 +61,12 @@ public virtual string Name
         public virtual bool HttpOnly { get; set; }
 
         /// <summary>
-        /// The SameSite attribute of the cookie. The default value is <see cref="SameSiteMode.None"/>
+        /// The SameSite attribute of the cookie. The default value is -1 (Unspecified)
         /// </summary>
         /// <remarks>
         /// Determines the value that will set on <seealso cref="CookieOptions.SameSite"/>.
         /// </remarks>
-        public virtual SameSiteMode SameSite { get; set; } = SameSiteMode.None;
+        public virtual SameSiteMode SameSite { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : (SameSiteMode)(-1);
 
         /// <summary>
         /// The policy that will be used to determine <seealso cref="CookieOptions.Secure"/>.
diff --git a/src/Http/Http.Features/src/CookieOptions.cs b/src/Http/Http.Features/src/CookieOptions.cs
@@ -10,6 +10,18 @@ namespace Microsoft.AspNetCore.Http
     /// </summary>
     public class CookieOptions
     {
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool SuppressSameSiteNone;
+
+        static CookieOptions()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.Net.Http.Headers.SetCookieHeaderValue.SuppressSameSiteNone", out var enabled))
+            {
+                SuppressSameSiteNone = enabled;
+            }
+        }
+
         /// <summary>
         /// Creates a default cookie with a path of '/'.
         /// </summary>
@@ -43,10 +55,10 @@ public CookieOptions()
         public bool Secure { get; set; }
 
         /// <summary>
-        /// Gets or sets the value for the SameSite attribute of the cookie. The default value is <see cref="SameSiteMode.None"/>
+        /// Gets or sets the value for the SameSite attribute of the cookie. The default value is -1 (Unspecified)
         /// </summary>
         /// <returns>The <see cref="SameSiteMode"/> representing the enforcement mode of the cookie.</returns>
-        public SameSiteMode SameSite { get; set; } = SameSiteMode.None;
+        public SameSiteMode SameSite { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : (SameSiteMode)(-1);
 
         /// <summary>
         /// Gets or sets a value that indicates whether a cookie is accessible by client-side script.
diff --git a/src/Security/CookiePolicy/src/CookiePolicyOptions.cs b/src/Security/CookiePolicy/src/CookiePolicyOptions.cs
@@ -12,10 +12,22 @@ namespace Microsoft.AspNetCore.Builder
     /// </summary>
     public class CookiePolicyOptions
     {
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool SuppressSameSiteNone;
+
+        static CookiePolicyOptions()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.Net.Http.Headers.SetCookieHeaderValue.SuppressSameSiteNone", out var enabled))
+            {
+                SuppressSameSiteNone = enabled;
+            }
+        }
+
         /// <summary>
         /// Affects the cookie's same site attribute.
         /// </summary>
-        public SameSiteMode MinimumSameSitePolicy { get; set; } = SameSiteMode.None;
+        public SameSiteMode MinimumSameSitePolicy { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : (SameSiteMode)(-1);
 
         /// <summary>
         /// Affects whether cookies must be HttpOnly.
diff --git a/src/Security/CookiePolicy/src/ResponseCookiesWrapper.cs b/src/Security/CookiePolicy/src/ResponseCookiesWrapper.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -115,7 +115,8 @@ public string CreateConsentCookie()
         private bool CheckPolicyRequired()
         {
             return !CanTrack
-                || Options.MinimumSameSitePolicy != SameSiteMode.None
+                || (CookiePolicyOptions.SuppressSameSiteNone && Options.MinimumSameSitePolicy != SameSiteMode.None)
+                || (!CookiePolicyOptions.SuppressSameSiteNone && Options.MinimumSameSitePolicy != (SameSiteMode)(-1)) // Unspecified
                 || Options.HttpOnly != HttpOnlyPolicy.None
                 || Options.Secure != CookieSecurePolicy.None;
         }
@@ -241,27 +242,13 @@ private void ApplyPolicy(string key, CookieOptions options)
                 default:
                     throw new InvalidOperationException();
             }
-            switch (Options.MinimumSameSitePolicy)
+
+            if (options.SameSite < Options.MinimumSameSitePolicy)
             {
-                case SameSiteMode.None:
-                    break;
-                case SameSiteMode.Lax:
-                    if (options.SameSite == SameSiteMode.None)
-                    {
-                        options.SameSite = SameSiteMode.Lax;
-                        _logger.CookieSameSiteUpgraded(key, "lax");
-                    }
-                    break;
-                case SameSiteMode.Strict:
-                    if (options.SameSite != SameSiteMode.Strict)
-                    {
-                        options.SameSite = SameSiteMode.Strict;
-                        _logger.CookieSameSiteUpgraded(key, "strict");
-                    }
-                    break;
-                default:
-                    throw new InvalidOperationException($"Unrecognized {nameof(SameSiteMode)} value {Options.MinimumSameSitePolicy.ToString()}");
+                options.SameSite = Options.MinimumSameSitePolicy;
+                _logger.CookieSameSiteUpgraded(key, Options.MinimumSameSitePolicy.ToString());
             }
+
             switch (Options.HttpOnly)
             {
                 case HttpOnlyPolicy.Always:
@@ -278,4 +265,4 @@ private void ApplyPolicy(string key, CookieOptions options)
             }
         }
     }
-}
+}
diff --git a/src/Security/CookiePolicy/test/CookieConsentTests.cs b/src/Security/CookiePolicy/test/CookieConsentTests.cs
@@ -223,12 +223,12 @@ public async Task GrantConsentSetsCookie()
             Assert.Equal("yes", consentCookie.Value);
             Assert.True(consentCookie.Expires.HasValue);
             Assert.True(consentCookie.Expires.Value > DateTimeOffset.Now + TimeSpan.FromDays(364));
-            Assert.Equal(Net.Http.Headers.SameSiteMode.None, consentCookie.SameSite);
+            Assert.Equal((Net.Http.Headers.SameSiteMode)(-1), consentCookie.SameSite);
             Assert.NotNull(consentCookie.Expires);
             var testCookie = cookies[1];
             Assert.Equal("Test", testCookie.Name);
             Assert.Equal("Value", testCookie.Value);
-            Assert.Equal(Net.Http.Headers.SameSiteMode.None, testCookie.SameSite);
+            Assert.Equal((Net.Http.Headers.SameSiteMode)(-1), testCookie.SameSite);
             Assert.Null(testCookie.Expires);
         }
 
@@ -400,12 +400,12 @@ public async Task WithdrawConsentDeletesCookie()
             var testCookie = cookies[0];
             Assert.Equal("Test", testCookie.Name);
             Assert.Equal("Value1", testCookie.Value);
-            Assert.Equal(Net.Http.Headers.SameSiteMode.None, testCookie.SameSite);
+            Assert.Equal((Net.Http.Headers.SameSiteMode)(-1), testCookie.SameSite);
             Assert.Null(testCookie.Expires);
             var consentCookie = cookies[1];
             Assert.Equal(".AspNet.Consent", consentCookie.Name);
             Assert.Equal("", consentCookie.Value);
-            Assert.Equal(Net.Http.Headers.SameSiteMode.None, consentCookie.SameSite);
+            Assert.Equal((Net.Http.Headers.SameSiteMode)(-1), consentCookie.SameSite);
             Assert.NotNull(consentCookie.Expires);
         }
 
@@ -512,7 +512,7 @@ public async Task DeleteCookieDoesNotRequireConsent()
             var testCookie = cookies[0];
             Assert.Equal("Test", testCookie.Name);
             Assert.Equal("", testCookie.Value);
-            Assert.Equal(Net.Http.Headers.SameSiteMode.None, testCookie.SameSite);
+            Assert.Equal((Net.Http.Headers.SameSiteMode)(-1), testCookie.SameSite);
             Assert.NotNull(testCookie.Expires);
         }
 
@@ -576,7 +576,7 @@ public async Task CreateConsentCookieMatchesGrantConsentCookie()
             var consentCookie = cookies[0];
             Assert.Equal(".AspNet.Consent", consentCookie.Name);
             Assert.Equal("yes", consentCookie.Value);
-            Assert.Equal(Net.Http.Headers.SameSiteMode.None, consentCookie.SameSite);
+            Assert.Equal((Net.Http.Headers.SameSiteMode)(-1), consentCookie.SameSite);
             Assert.NotNull(consentCookie.Expires);
 
             cookies = SetCookieHeaderValue.ParseList(httpContext.Response.Headers["ManualCookie"]);
diff --git a/src/Security/CookiePolicy/test/CookiePolicyTests.cs b/src/Security/CookiePolicy/test/CookiePolicyTests.cs
@@ -39,8 +39,8 @@ public class CookiePolicyTests
         private RequestDelegate SameSiteCookieAppends = context =>
         {
             context.Response.Cookies.Append("A", "A");
-            context.Response.Cookies.Append("B", "B", new CookieOptions { SameSite = Http.SameSiteMode.None });
-            context.Response.Cookies.Append("C", "C", new CookieOptions());
+            context.Response.Cookies.Append("B", "B", new CookieOptions());
+            context.Response.Cookies.Append("C", "C", new CookieOptions { SameSite = Http.SameSiteMode.None });
             context.Response.Cookies.Append("D", "D", new CookieOptions { SameSite = Http.SameSiteMode.Lax });
             context.Response.Cookies.Append("E", "E", new CookieOptions { SameSite = Http.SameSiteMode.Strict });
             return Task.FromResult(0);
@@ -198,7 +198,7 @@ await RunTest("/sameSiteLax",
         }
 
         [Fact]
-        public async Task SameSiteNoneLeavesItAlone()
+        public async Task SameSiteNoneSetsItAlways()
         {
             await RunTest("/sameSiteNone",
                 new CookiePolicyOptions
@@ -208,11 +208,32 @@ await RunTest("/sameSiteNone",
                 SameSiteCookieAppends,
                 new RequestTest("http://example.com/sameSiteNone",
                 transaction =>
+                {
+                    Assert.NotNull(transaction.SetCookie);
+                    Assert.Equal("A=A; path=/; samesite=none", transaction.SetCookie[0]);
+                    Assert.Equal("B=B; path=/; samesite=none", transaction.SetCookie[1]);
+                    Assert.Equal("C=C; path=/; samesite=none", transaction.SetCookie[2]);
+                    Assert.Equal("D=D; path=/; samesite=lax", transaction.SetCookie[3]);
+                    Assert.Equal("E=E; path=/; samesite=strict", transaction.SetCookie[4]);
+                }));
+        }
+
+        [Fact]
+        public async Task SameSiteUnspecifiedLeavesItAlone()
+        {
+            await RunTest("/sameSiteNone",
+                new CookiePolicyOptions
+                {
+                    MinimumSameSitePolicy = (Http.SameSiteMode)(-1)
+                },
+                SameSiteCookieAppends,
+                new RequestTest("http://example.com/sameSiteNone",
+                transaction =>
                 {
                     Assert.NotNull(transaction.SetCookie);
                     Assert.Equal("A=A; path=/", transaction.SetCookie[0]);
                     Assert.Equal("B=B; path=/", transaction.SetCookie[1]);
-                    Assert.Equal("C=C; path=/", transaction.SetCookie[2]);
+                    Assert.Equal("C=C; path=/; samesite=none", transaction.SetCookie[2]);
                     Assert.Equal("D=D; path=/; samesite=lax", transaction.SetCookie[3]);
                     Assert.Equal("E=E; path=/; samesite=strict", transaction.SetCookie[4]);
                 }));
