|
|
@ -1,60 +1,19 @@ |
|
|
using Microsoft.AspNetCore.Builder; |
|
|
using Microsoft.AspNetCore.Builder; |
|
|
using Microsoft.AspNetCore.Http; |
|
|
using Microsoft.AspNetCore.Http; |
|
|
using System; |
|
|
|
|
|
|
|
|
|
|
|
/* |
|
|
|
|
|
* See: https://community.abp.io/articles/patch-for-chrome-login-issue-identityserver4-samesite-cookie-problem-weypwp3n
|
|
|
|
|
|
*/ |
|
|
|
|
|
|
|
|
|
|
|
namespace Microsoft.Extensions.DependencyInjection |
|
|
namespace Microsoft.Extensions.DependencyInjection |
|
|
{ |
|
|
{ |
|
|
public static class SameSiteCookiesServiceCollectionExtensions |
|
|
public static class SameSiteCookiesServiceCollectionExtensions |
|
|
{ |
|
|
{ |
|
|
/// <summary>
|
|
|
public static IServiceCollection AddSameSiteCookiePolicy(this IServiceCollection services) |
|
|
/// -1 defines the unspecified value, which tells ASPNET Core to NOT
|
|
|
|
|
|
/// send the SameSite attribute. With ASPNET Core 3.1 the
|
|
|
|
|
|
/// <seealso cref="SameSiteMode" /> enum will have a definition for
|
|
|
|
|
|
/// Unspecified.
|
|
|
|
|
|
/// </summary>
|
|
|
|
|
|
private const SameSiteMode Unspecified = (SameSiteMode)(-1); |
|
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
|
/// Configures a cookie policy to properly set the SameSite attribute
|
|
|
|
|
|
/// for Browsers that handle unknown values as Strict. Ensure that you
|
|
|
|
|
|
/// add the <seealso cref="Microsoft.AspNetCore.CookiePolicy.CookiePolicyMiddleware" />
|
|
|
|
|
|
/// into the pipeline before sending any cookies!
|
|
|
|
|
|
/// </summary>
|
|
|
|
|
|
/// <remarks>
|
|
|
|
|
|
/// Minimum ASPNET Core Version required for this code:
|
|
|
|
|
|
/// - 2.1.14
|
|
|
|
|
|
/// - 2.2.8
|
|
|
|
|
|
/// - 3.0.1
|
|
|
|
|
|
/// - 3.1.0-preview1
|
|
|
|
|
|
/// Starting with version 80 of Chrome (to be released in February 2020)
|
|
|
|
|
|
/// cookies with NO SameSite attribute are treated as SameSite=Lax.
|
|
|
|
|
|
/// In order to always get the cookies send they need to be set to
|
|
|
|
|
|
/// SameSite=None. But since the current standard only defines Lax and
|
|
|
|
|
|
/// Strict as valid values there are some browsers that treat invalid
|
|
|
|
|
|
/// values as SameSite=Strict. We therefore need to check the browser
|
|
|
|
|
|
/// and either send SameSite=None or prevent the sending of SameSite=None.
|
|
|
|
|
|
/// Relevant links:
|
|
|
|
|
|
/// - https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1
|
|
|
|
|
|
/// - https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
|
|
|
|
|
|
/// - https://www.chromium.org/updates/same-site
|
|
|
|
|
|
/// - https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
|
|
|
|
|
|
/// - https://bugs.webkit.org/show_bug.cgi?id=198181
|
|
|
|
|
|
/// </remarks>
|
|
|
|
|
|
/// <param name="services">The service collection to register <see cref="CookiePolicyOptions" /> into.</param>
|
|
|
|
|
|
/// <returns>The modified <see cref="IServiceCollection" />.</returns>
|
|
|
|
|
|
public static IServiceCollection ConfigureNonBreakingSameSiteCookies(this IServiceCollection services) |
|
|
|
|
|
{ |
|
|
{ |
|
|
services.Configure<CookiePolicyOptions>(options => |
|
|
services.Configure<CookiePolicyOptions>(options => |
|
|
{ |
|
|
{ |
|
|
options.MinimumSameSitePolicy = Unspecified; |
|
|
options.MinimumSameSitePolicy = SameSiteMode.Unspecified; |
|
|
options.OnAppendCookie = cookieContext => |
|
|
options.OnAppendCookie = cookieContext => |
|
|
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); |
|
|
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); |
|
|
options.OnDeleteCookie = cookieContext => |
|
|
options.OnDeleteCookie = cookieContext => |
|
|
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); |
|
|
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); |
|
|
}); |
|
|
}); |
|
|
|
|
|
|
|
|
return services; |
|
|
return services; |
|
|
@ -65,99 +24,47 @@ namespace Microsoft.Extensions.DependencyInjection |
|
|
if (options.SameSite == SameSiteMode.None) |
|
|
if (options.SameSite == SameSiteMode.None) |
|
|
{ |
|
|
{ |
|
|
var userAgent = httpContext.Request.Headers["User-Agent"].ToString(); |
|
|
var userAgent = httpContext.Request.Headers["User-Agent"].ToString(); |
|
|
|
|
|
if (!httpContext.Request.IsHttps || DisallowsSameSiteNone(userAgent)) |
|
|
if (DisallowsSameSiteNone(userAgent)) |
|
|
|
|
|
{ |
|
|
{ |
|
|
options.SameSite = Unspecified; |
|
|
// For .NET Core < 3.1 set SameSite = (SameSiteMode)(-1)
|
|
|
|
|
|
options.SameSite = SameSiteMode.Unspecified; |
|
|
} |
|
|
} |
|
|
} |
|
|
} |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
|
/// Checks if the UserAgent is known to interpret an unknown value as Strict.
|
|
|
|
|
|
/// For those the <see cref="CookieOptions.SameSite" /> property should be
|
|
|
|
|
|
/// set to <see cref="Unspecified" />.
|
|
|
|
|
|
/// </summary>
|
|
|
|
|
|
/// <remarks>
|
|
|
|
|
|
/// This code is taken from Microsoft:
|
|
|
|
|
|
/// https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
|
|
|
|
|
|
/// </remarks>
|
|
|
|
|
|
/// <param name="userAgent">The user agent string to check.</param>
|
|
|
|
|
|
/// <returns>Whether the specified user agent (browser) accepts SameSite=None or not.</returns>
|
|
|
|
|
|
private static bool DisallowsSameSiteNone(string userAgent) |
|
|
private static bool DisallowsSameSiteNone(string userAgent) |
|
|
{ |
|
|
{ |
|
|
// Cover all iOS based browsers here. This includes:
|
|
|
// Cover all iOS based browsers here. This includes:
|
|
|
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
|
|
|
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
|
|
|
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
|
|
|
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
|
|
|
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
|
|
|
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
|
|
|
// All of which are broken by SameSite=None, because they use the
|
|
|
// All of which are broken by SameSite=None, because they use the iOS networking stack
|
|
|
// iOS networking stack.
|
|
|
if (userAgent.Contains("CPU iPhone OS 12") || userAgent.Contains("iPad; CPU OS 12")) |
|
|
// Notes from Thinktecture:
|
|
|
|
|
|
// Regarding https://caniuse.com/#search=samesite iOS versions lower
|
|
|
|
|
|
// than 12 are not supporting SameSite at all. Starting with version 13
|
|
|
|
|
|
// unknown values are NOT treated as strict anymore. Therefore we only
|
|
|
|
|
|
// need to check version 12.
|
|
|
|
|
|
if (userAgent.Contains("CPU iPhone OS 12") |
|
|
|
|
|
|| userAgent.Contains("iPad; CPU OS 12")) |
|
|
|
|
|
{ |
|
|
{ |
|
|
return true; |
|
|
return true; |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// Cover Mac OS X based browsers that use the Mac OS networking stack.
|
|
|
// Cover Mac OS X based browsers that use the Mac OS networking stack. This includes:
|
|
|
// This includes:
|
|
|
// - Safari on Mac OS X.
|
|
|
// - Safari on Mac OS X.
|
|
|
|
|
|
// This does not include:
|
|
|
// This does not include:
|
|
|
// - Chrome on Mac OS X
|
|
|
// - Chrome on Mac OS X
|
|
|
// because they do not use the Mac OS networking stack.
|
|
|
// Because they do not use the Mac OS networking stack.
|
|
|
// Notes from Thinktecture:
|
|
|
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") && |
|
|
// Regarding https://caniuse.com/#search=samesite MacOS X versions lower
|
|
|
userAgent.Contains("Version/") && userAgent.Contains("Safari")) |
|
|
// than 10.14 are not supporting SameSite at all. Starting with version
|
|
|
|
|
|
// 10.15 unknown values are NOT treated as strict anymore. Therefore we
|
|
|
|
|
|
// only need to check version 10.14.
|
|
|
|
|
|
if (userAgent.Contains("Safari") |
|
|
|
|
|
&& userAgent.Contains("Macintosh; Intel Mac OS X 10_14") |
|
|
|
|
|
&& userAgent.Contains("Version/")) |
|
|
|
|
|
{ |
|
|
{ |
|
|
return true; |
|
|
return true; |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// Cover Chrome 50-69, because some versions are broken by SameSite=None
|
|
|
// Cover Chrome 50-69, because some versions are broken by SameSite=None,
|
|
|
// and none in this range require it.
|
|
|
// and none in this range require it.
|
|
|
// Note: this covers some pre-Chromium Edge versions,
|
|
|
// Note: this covers some pre-Chromium Edge versions,
|
|
|
// but pre-Chromium Edge does not require SameSite=None.
|
|
|
// but pre-Chromium Edge does not require SameSite=None.
|
|
|
// Notes from Thinktecture:
|
|
|
|
|
|
// We can not validate this assumption, but we trust Microsofts
|
|
|
|
|
|
// evaluation. And overall not sending a SameSite value equals to the same
|
|
|
|
|
|
// behavior as SameSite=None for these old versions anyways.
|
|
|
|
|
|
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6")) |
|
|
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6")) |
|
|
{ |
|
|
{ |
|
|
return true; |
|
|
return true; |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
if (GetChromeVersion(userAgent) >= 80) |
|
|
|
|
|
{ |
|
|
|
|
|
return true; |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
return false; |
|
|
return false; |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
private static int GetChromeVersion(string userAgent) |
|
|
|
|
|
{ |
|
|
|
|
|
try |
|
|
|
|
|
{ |
|
|
|
|
|
string version = "0"; |
|
|
|
|
|
var chromeAgents = userAgent.Split("Chrome/"); |
|
|
|
|
|
if (chromeAgents.Length > 1 && chromeAgents[1].Split('.').Length > 0) |
|
|
|
|
|
{ |
|
|
|
|
|
version = chromeAgents[1].Split('.')[0]; |
|
|
|
|
|
} |
|
|
|
|
|
return Convert.ToInt32(version); |
|
|
|
|
|
} |
|
|
|
|
|
catch (Exception) |
|
|
|
|
|
{ |
|
|
|
|
|
return 0; |
|
|
|
|
|
} |
|
|
|
|
|
} |
|
|
|
|
|
} |
|
|
} |
|
|
} |
|
|
} |
cKey
4 years ago