Add SameSite attribute to SetCookie header

JunTaoLuo · JunTaoLuo · commit 82f4a68363fa · 2017-05-18T12:30:13.000-07:00
diff --git a/src/Microsoft.AspNetCore.Http.Features/CookieOptions.cs b/src/Microsoft.AspNetCore.Http.Features/CookieOptions.cs
@@ -42,6 +42,13 @@ public CookieOptions()
         /// <returns>true to transmit the cookie only over an SSL connection (HTTPS); otherwise, false.</returns>
         public bool Secure { get; set; }
 
+
+        /// <summary>
+        /// Gets or sets the value for the SameSite attribute of the cookie.
+        /// </summary>
+        /// <returns>The <see cref="SameSiteEnforcementMode"/> representing the enforcement mode of the cookie.</returns>
+        public SameSiteEnforcementMode SameSite { get; set; }
+
         /// <summary>
         /// Gets or sets a value that indicates whether a cookie is accessible by client-side script.
         /// </summary>
diff --git a/src/Microsoft.AspNetCore.Http.Features/SameSiteEnforcementMode.cs b/src/Microsoft.AspNetCore.Http.Features/SameSiteEnforcementMode.cs
@@ -0,0 +1,12 @@
+﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNetCore.Http
+{
+    public enum SameSiteEnforcementMode
+    {
+        None = 0,
+        Lax,
+        Strict
+    }
+}
diff --git a/src/Microsoft.AspNetCore.Http/Internal/ResponseCookies.cs b/src/Microsoft.AspNetCore.Http/Internal/ResponseCookies.cs
@@ -62,7 +62,8 @@ public void Append(string key, string value, CookieOptions options)
                 Path = options.Path,
                 Expires = options.Expires,
                 Secure = options.Secure,
-                HttpOnly = options.HttpOnly,
+                SameSite = options.SameSite,
+                HttpOnly = options.HttpOnly
             };
 
             var cookieValue = setCookieHeaderValue.ToString();
diff --git a/src/Microsoft.Net.Http.Headers/Microsoft.Net.Http.Headers.csproj b/src/Microsoft.Net.Http.Headers/Microsoft.Net.Http.Headers.csproj
@@ -12,6 +12,10 @@
     <EnableApiCheck>false</EnableApiCheck>
   </PropertyGroup>
 
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.Http.Features\Microsoft.AspNetCore.Http.Features.csproj" />
+  </ItemGroup>
+
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Primitives" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
diff --git a/src/Microsoft.Net.Http.Headers/SetCookieHeaderValue.cs b/src/Microsoft.Net.Http.Headers/SetCookieHeaderValue.cs
@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Diagnostics.Contracts;
 using System.Text;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Primitives;
 
 namespace Microsoft.Net.Http.Headers
@@ -17,6 +18,9 @@ public class SetCookieHeaderValue
         private const string DomainToken = "domain";
         private const string PathToken = "path";
         private const string SecureToken = "secure";
+        private const string SameSiteToken = "samesite";
+        private static readonly string SameSiteLaxToken = SameSiteEnforcementMode.Lax.ToString();
+        private static readonly string SameSiteStrictToken = SameSiteEnforcementMode.Strict.ToString();
         private const string HttpOnlyToken = "httponly";
         private const string SeparatorToken = "; ";
         private const string EqualsToken = "=";
@@ -87,15 +91,18 @@ public string Value
 
         public bool Secure { get; set; }
 
+        public SameSiteEnforcementMode SameSite { get; set; }
+
         public bool HttpOnly { get; set; }
 
-        // name="val ue"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; httponly
+        // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict|Lax}; httponly
         public override string ToString()
         {
             var length = _name.Length + EqualsToken.Length + _value.Length;
 
             string expires = null;
             string maxAge = null;
+            string sameSite = null;
 
             if (Expires.HasValue)
             {
@@ -124,6 +131,12 @@ public override string ToString()
                 length += SeparatorToken.Length + SecureToken.Length;
             }
 
+            if (SameSite != SameSiteEnforcementMode.None)
+            {
+                sameSite = SameSite == SameSiteEnforcementMode.Lax ? SameSiteLaxToken : SameSiteStrictToken;
+                length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;
+            }
+
             if (HttpOnly)
             {
                 length += SeparatorToken.Length + HttpOnlyToken.Length;
@@ -160,6 +173,11 @@ public override string ToString()
                 AppendSegment(ref sb, SecureToken, null);
             }
 
+            if (SameSite != SameSiteEnforcementMode.None)
+            {
+                AppendSegment(ref sb, SameSiteToken, sameSite);
+            }
+
             if (HttpOnly)
             {
                 AppendSegment(ref sb, HttpOnlyToken, null);
@@ -218,6 +236,11 @@ public void AppendToStringBuilder(StringBuilder builder)
                 AppendSegment(builder, SecureToken, null);
             }
 
+            if (SameSite != SameSiteEnforcementMode.None)
+            {
+                AppendSegment(builder, SameSiteToken, SameSite == SameSiteEnforcementMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);
+            }
+
             if (HttpOnly)
             {
                 AppendSegment(builder, HttpOnlyToken, null);
@@ -267,7 +290,7 @@ public static bool TryParseStrictList(IList<string> inputs, out IList<SetCookieH
             return MultipleValueParser.TryParseStrictValues(inputs, out parsedValues);
         }
 
-        // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; httponly
+        // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict|Lax}; httponly
         private static int GetSetCookieLength(string input, int startIndex, out SetCookieHeaderValue parsedValue)
         {
             Contract.Requires(startIndex >= 0);
@@ -322,7 +345,7 @@ private static int GetSetCookieLength(string input, int startIndex, out SetCooki
 
                 offset += HttpRuleParser.GetWhitespaceLength(input, offset);
 
-                //  cookie-av = expires-av / max-age-av / domain-av / path-av / secure-av / httponly-av / extension-av
+                //  cookie-av = expires-av / max-age-av / domain-av / path-av / secure-av / samesite-av / httponly-av / extension-av
                 itemLength = HttpRuleParser.GetTokenLength(input, offset);
                 if (itemLength == 0)
                 {
@@ -402,6 +425,28 @@ private static int GetSetCookieLength(string input, int startIndex, out SetCooki
                 {
                     result.Secure = true;
                 }
+                // samesite-av = "SameSite" / "SameSite=" samesite-value
+                // samesite-value = "Strict" / "Lax"
+                else if (string.Equals(token, SameSiteToken, StringComparison.OrdinalIgnoreCase))
+                {
+                    if (!ReadEqualsSign(input, ref offset))
+                    {
+                        result.SameSite = SameSiteEnforcementMode.Strict;
+                    }
+                    else
+                    {
+                        var enforcementMode = ReadToSemicolonOrEnd(input, ref offset);
+
+                        if (string.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))
+                        {
+                            result.SameSite = SameSiteEnforcementMode.Lax;
+                        }
+                        else if (string.Equals(enforcementMode, SameSiteStrictToken, StringComparison.OrdinalIgnoreCase))
+                        {
+                            result.SameSite = SameSiteEnforcementMode.Strict;
+                        }
+                    }
+                }
                 // httponly-av = "HttpOnly"
                 else if (string.Equals(token, HttpOnlyToken, StringComparison.OrdinalIgnoreCase))
                 {
@@ -459,6 +504,7 @@ public override bool Equals(object obj)
                 && string.Equals(Domain, other.Domain, StringComparison.OrdinalIgnoreCase)
                 && string.Equals(Path, other.Path, StringComparison.OrdinalIgnoreCase)
                 && Secure == other.Secure
+                && SameSite == other.SameSite
                 && HttpOnly == other.HttpOnly;
         }
 
@@ -471,6 +517,7 @@ public override int GetHashCode()
                 ^ (Domain != null ? StringComparer.OrdinalIgnoreCase.GetHashCode(Domain) : 0)
                 ^ (Path != null ? StringComparer.OrdinalIgnoreCase.GetHashCode(Path) : 0)
                 ^ Secure.GetHashCode()
+                ^ SameSite.GetHashCode()
                 ^ HttpOnly.GetHashCode();
         }
     }
diff --git a/test/Microsoft.Net.Http.Headers.Tests/SetCookieHeaderValueTest.cs b/test/Microsoft.Net.Http.Headers.Tests/SetCookieHeaderValueTest.cs
@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Text;
+using Microsoft.AspNetCore.Http;
 using Xunit;
 
 namespace Microsoft.Net.Http.Headers
@@ -20,12 +21,13 @@ public static TheoryData<SetCookieHeaderValue, string> SetCookieHeaderDataSet
                 {
                     Domain = "domain1",
                     Expires = new DateTimeOffset(1994, 11, 6, 8, 49, 37, TimeSpan.Zero),
+                    SameSite = SameSiteEnforcementMode.Strict,
                     HttpOnly = true,
                     MaxAge = TimeSpan.FromDays(1),
                     Path = "path1",
                     Secure = true
                 };
-                dataset.Add(header1, "name1=n1=v1&n2=v2&n3=v3; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; httponly");
+                dataset.Add(header1, "name1=n1=v1&n2=v2&n3=v3; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite=Strict; httponly");
 
                 var header2 = new SetCookieHeaderValue("name2", "");
                 dataset.Add(header2, "name2=");
@@ -106,12 +108,13 @@ public static TheoryData<IList<SetCookieHeaderValue>, string[]> ListOfSetCookieH
                 {
                     Domain = "domain1",
                     Expires = new DateTimeOffset(1994, 11, 6, 8, 49, 37, TimeSpan.Zero),
+                    SameSite = SameSiteEnforcementMode.Lax,
                     HttpOnly = true,
                     MaxAge = TimeSpan.FromDays(1),
                     Path = "path1",
                     Secure = true
                 };
-                var string1 = "name1=n1=v1&n2=v2&n3=v3; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; httponly";
+                var string1 = "name1=n1=v1&n2=v2&n3=v3; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite=Lax; httponly";
 
                 var header2 = new SetCookieHeaderValue("name2", "value2");
                 var string2 = "name2=value2";
@@ -152,12 +155,13 @@ public static TheoryData<IList<SetCookieHeaderValue>, string[]> ListWithInvalidS
                 {
                     Domain = "domain1",
                     Expires = new DateTimeOffset(1994, 11, 6, 8, 49, 37, TimeSpan.Zero),
+                    SameSite = SameSiteEnforcementMode.Strict,
                     HttpOnly = true,
                     MaxAge = TimeSpan.FromDays(1),
                     Path = "path1",
                     Secure = true
                 };
-                var string1 = "name1=n1=v1&n2=v2&n3=v3; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; httponly";
+                var string1 = "name1=n1=v1&n2=v2&n3=v3; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite=Strict; httponly";
 
                 var header2 = new SetCookieHeaderValue("name2", "value2");
                 var string2 = "name2=value2";
