Add SameSitePolicy to CookiePolicyMiddleware

Author: JunTaoLuo

src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs

@@ -179,6 +179,7 @@ private CookieOptions BuildCookieOptions()
             var cookieOptions = new CookieOptions
             {
                 Domain = Options.CookieDomain,
+                SameSite = Options.CookieSameSite,
                 HttpOnly = Options.CookieHttpOnly,
                 Path = Options.CookiePath ?? (OriginalPathBase.HasValue ? OriginalPathBase.ToString() : "/"),
             };

src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs

@@ -4,7 +4,6 @@
 using System;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Http;
-using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Authentication.Cookies
 {
@@ -23,6 +22,7 @@ public CookieAuthenticationOptions()
             ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
             ExpireTimeSpan = TimeSpan.FromDays(14);
             SlidingExpiration = true;
+            CookieSameSite = SameSiteEnforcementMode.None;
             CookieHttpOnly = true;
             CookieSecure = CookieSecurePolicy.SameAsRequest;
             Events = new CookieAuthenticationEvents();
@@ -57,6 +57,12 @@ public string CookieName
         /// </summary>
         public string CookiePath { get; set; }
 
+        /// <summary>
+        /// Determines if the browser should allow the cookie to be attached to same-site or cross-site requests. The
+        /// default is None, which means the cookie is allowed to be attached to all same-site and cross-site requests.
+        /// </summary>
+        public SameSiteEnforcementMode CookieSameSite { get; set; }
+
         /// <summary>
         /// Determines if the browser should allow the cookie to be accessed by client-side javascript. The
         /// default is true, which means the cookie will only be passed to http requests and is not made available

src/Microsoft.AspNetCore.CookiePolicy/CookiePolicyMiddleware.cs

@@ -74,7 +74,7 @@ public IResponseCookies Cookies
 
             private bool PolicyRequiresCookieOptions()
             {
-                return Policy.HttpOnly != HttpOnlyPolicy.None || Policy.Secure != CookieSecurePolicy.None;
+                return Policy.SameSite != SameSitePolicy.None || Policy.HttpOnly != HttpOnlyPolicy.None || Policy.Secure != CookieSecurePolicy.None;
             }
 
             public void Append(string key, string value)
@@ -151,6 +151,22 @@ private void ApplyPolicy(CookieOptions options)
                     default:
                         throw new InvalidOperationException();
                 }
+                switch (Policy.SameSite)
+                {
+                    case SameSitePolicy.None:
+                        break;
+                    case SameSitePolicy.LaxOrStrict:
+                        if (options.SameSite == SameSiteEnforcementMode.None)
+                        {
+                            options.SameSite = SameSiteEnforcementMode.Lax;
+                        }
+                        break;
+                    case SameSitePolicy.AlwaysStrict:
+                        options.SameSite = SameSiteEnforcementMode.Strict;
+                        break;
+                    default:
+                        throw new InvalidOperationException();
+                }
                 switch (Policy.HttpOnly)
                 {
                     case HttpOnlyPolicy.Always:

src/Microsoft.AspNetCore.CookiePolicy/CookiePolicyOptions.cs

@@ -12,6 +12,11 @@ namespace Microsoft.AspNetCore.Builder
     /// </summary>
     public class CookiePolicyOptions
     {
+        /// <summary>
+        /// Affects the cookie's same site attribute.
+        /// </summary>
+        public SameSitePolicy SameSite { get; set; } = SameSitePolicy.None;
+
         /// <summary>
         /// Affects whether cookies must be HttpOnly.
         /// </summary>

src/Microsoft.AspNetCore.CookiePolicy/SameSitePolicy.cs

@@ -0,0 +1,12 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNetCore.CookiePolicy
+{
+    public enum SameSitePolicy
+    {
+        None = 0,
+        LaxOrStrict,
+        AlwaysStrict
+    }
+}

test/Microsoft.AspNetCore.Authentication.Test/CookieTests.cs

@@ -136,6 +136,7 @@ public async Task SignInCausesDefaultCookieToBeCreated()
             Assert.StartsWith("TestCookie=", setCookie);
             Assert.Contains("; path=/", setCookie);
             Assert.Contains("; httponly", setCookie);
+            Assert.DoesNotContain("; samesite=", setCookie);
             Assert.DoesNotContain("; expires=", setCookie);
             Assert.DoesNotContain("; domain=", setCookie);
             Assert.DoesNotContain("; secure", setCookie);
@@ -206,6 +207,7 @@ public async Task CookieOptionsAlterSetCookieHeader()
                 o.CookiePath = "/foo";
                 o.CookieDomain = "another.com";
                 o.CookieSecure = CookieSecurePolicy.Always;
+                o.CookieSameSite = SameSiteEnforcementMode.None;
                 o.CookieHttpOnly = true;
             }, SignInAsAlice, baseAddress: new Uri("http://example.com/base"));
 
@@ -217,12 +219,14 @@ public async Task CookieOptionsAlterSetCookieHeader()
             Assert.Contains(" path=/foo", setCookie1);
             Assert.Contains(" domain=another.com", setCookie1);
             Assert.Contains(" secure", setCookie1);
+            Assert.DoesNotContain(" samesite", setCookie1);
             Assert.Contains(" httponly", setCookie1);
 
             var server2 = CreateServer(o =>
             {
                 o.CookieName = "SecondCookie";
                 o.CookieSecure = CookieSecurePolicy.None;
+                o.CookieSameSite = SameSiteEnforcementMode.Strict;
                 o.CookieHttpOnly = false;
             }, SignInAsAlice, baseAddress: new Uri("http://example.com/base"));
 
@@ -232,6 +236,7 @@ public async Task CookieOptionsAlterSetCookieHeader()
 
             Assert.Contains("SecondCookie=", setCookie2);
             Assert.Contains(" path=/base", setCookie2);
+            Assert.Contains(" samesite=strict", setCookie2);
             Assert.DoesNotContain(" domain=", setCookie2);
             Assert.DoesNotContain(" secure", setCookie2);
             Assert.DoesNotContain(" httponly", setCookie2);

test/Microsoft.AspNetCore.CookiePolicy.Test/CookiePolicyTests.cs

@@ -36,6 +36,15 @@ public class CookiePolicyTests
             context.Response.Cookies.Append("D", "D", new CookieOptions { HttpOnly = true });
             return Task.FromResult(0);
         };
+        private RequestDelegate SameSiteCookieAppends = context =>
+        {
+            context.Response.Cookies.Append("A", "A");
+            context.Response.Cookies.Append("B", "B", new CookieOptions { SameSite = Http.SameSiteEnforcementMode.None });
+            context.Response.Cookies.Append("C", "C", new CookieOptions());
+            context.Response.Cookies.Append("D", "D", new CookieOptions { SameSite = Http.SameSiteEnforcementMode.Lax });
+            context.Response.Cookies.Append("E", "E", new CookieOptions { SameSite = Http.SameSiteEnforcementMode.Strict });
+            return Task.FromResult(0);
+        };
 
         [Fact]
         public async Task SecureAlwaysSetsSecure()
@@ -146,6 +155,69 @@ await RunTest("/httpOnlyNone",
                 }));
         }
 
+        [Fact]
+        public async Task SameSiteStrictSetsItAlways()
+        {
+            await RunTest("/sameSiteStrict",
+                new CookiePolicyOptions
+                {
+                    SameSite = SameSitePolicy.AlwaysStrict
+                },
+                SameSiteCookieAppends,
+                new RequestTest("http://example.com/sameSiteStrict",
+                transaction =>
+                {
+                    Assert.NotNull(transaction.SetCookie);
+                    Assert.Equal("A=A; path=/; samesite=strict", transaction.SetCookie[0]);
+                    Assert.Equal("B=B; path=/; samesite=strict", transaction.SetCookie[1]);
+                    Assert.Equal("C=C; path=/; samesite=strict", transaction.SetCookie[2]);
+                    Assert.Equal("D=D; path=/; samesite=strict", transaction.SetCookie[3]);
+                    Assert.Equal("E=E; path=/; samesite=strict", transaction.SetCookie[4]);
+                }));
+        }
+
+        [Fact]
+        public async Task SameSiteLaxSetsItAlways()
+        {
+            await RunTest("/sameSiteLax",
+                new CookiePolicyOptions
+                {
+                    SameSite = SameSitePolicy.LaxOrStrict
+                },
+                SameSiteCookieAppends,
+                new RequestTest("http://example.com/sameSiteLax",
+                transaction =>
+                {
+                    Assert.NotNull(transaction.SetCookie);
+                    Assert.Equal("A=A; path=/; samesite=lax", transaction.SetCookie[0]);
+                    Assert.Equal("B=B; path=/; samesite=lax", transaction.SetCookie[1]);
+                    Assert.Equal("C=C; path=/; samesite=lax", transaction.SetCookie[2]);
+                    Assert.Equal("D=D; path=/; samesite=lax", transaction.SetCookie[3]);
+                    Assert.Equal("E=E; path=/; samesite=strict", transaction.SetCookie[4]);
+                }));
+        }
+
+        [Fact]
+        public async Task SameSiteNoneLeavesItAlone()
+        {
+            await RunTest("/sameSiteNone",
+                new CookiePolicyOptions
+                {
+                    HttpOnly = HttpOnlyPolicy.None
+                },
+                SameSiteCookieAppends,
+                new RequestTest("http://example.com/sameSiteNone",
+                transaction =>
+                {
+                    Assert.NotNull(transaction.SetCookie);
+                    Assert.Equal("A=A; path=/", transaction.SetCookie[0]);
+                    Assert.Equal("B=B; path=/", transaction.SetCookie[1]);
+                    Assert.Equal("C=C; path=/", transaction.SetCookie[2]);
+                    Assert.Equal("D=D; path=/; samesite=lax", transaction.SetCookie[3]);
+                    Assert.Equal("E=E; path=/; samesite=strict", transaction.SetCookie[4]);
+                }));
+        }
+
         [Fact]
         public async Task CookiePolicyCanHijackAppend()
         {