Feedback

Author: JunTaoLuo

NuGet.config

@@ -4,5 +4,6 @@
     <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
     <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
+    <add key="temp" value="C:\gh\HttpAbstractions\artifacts\build" />
   </packageSources>
 </configuration>

shared/Microsoft.AspNetCore.ChunkingCookieManager.Sources/ChunkingCookieManager.cs

@@ -284,6 +284,7 @@ public void DeleteCookie(HttpContext context, string key, CookieOptions options)
                 {
                     Path = options.Path,
                     Domain = options.Domain,
+                    SameSite = options.SameSite,
                     Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
                 });
 
@@ -297,6 +298,7 @@ public void DeleteCookie(HttpContext context, string key, CookieOptions options)
                     {
                         Path = options.Path,
                         Domain = options.Domain,
+                        SameSite = options.SameSite,
                         Expires = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc),
                     });
             }

src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs

@@ -22,7 +22,7 @@ public CookieAuthenticationOptions()
             ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
             ExpireTimeSpan = TimeSpan.FromDays(14);
             SlidingExpiration = true;
-            CookieSameSite = SameSiteEnforcementMode.None;
+            CookieSameSite = SameSiteEnforcementMode.Strict;
             CookieHttpOnly = true;
             CookieSecure = CookieSecurePolicy.SameAsRequest;
             Events = new CookieAuthenticationEvents();
@@ -59,7 +59,7 @@ public string CookieName
 
         /// <summary>
         /// Determines if the browser should allow the cookie to be attached to same-site or cross-site requests. The
-        /// default is None, which means the cookie is allowed to be attached to all same-site and cross-site requests.
+        /// default is Strict, which means the cookie is only allowed to be attached to same-site requests.
         /// </summary>
         public SameSiteEnforcementMode CookieSameSite { get; set; }
 

src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

@@ -899,6 +899,7 @@ private void WriteNonceCookie(string nonce)
                 new CookieOptions
                 {
                     HttpOnly = true,
+                    SameSite = Http.SameSiteEnforcementMode.Lax,
                     Secure = Request.IsHttps,
                     Expires = Clock.UtcNow.Add(Options.ProtocolValidator.NonceLifetime)
                 });
@@ -930,6 +931,7 @@ private string ReadNonceCookie(string nonce)
                             var cookieOptions = new CookieOptions
                             {
                                 HttpOnly = true,
+                                SameSite = Http.SameSiteEnforcementMode.Lax,
                                 Secure = Request.IsHttps
                             };
 

src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs

@@ -83,6 +83,7 @@ protected override async Task<AuthenticateResult> HandleRemoteAuthenticateAsync(
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                SameSite = SameSiteEnforcementMode.Lax,
                 Secure = Request.IsHttps
             };
 
@@ -160,6 +161,7 @@ protected override async Task HandleUnauthorizedAsync(ChallengeContext context)
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                SameSite = SameSiteEnforcementMode.Lax,
                 Secure = Request.IsHttps,
                 Expires = Clock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
             };

src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs

@@ -203,6 +203,7 @@ protected virtual void GenerateCorrelationId(AuthenticationProperties properties
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                SameSite = SameSiteEnforcementMode.Lax,
                 Secure = Request.IsHttps,
                 Expires = Clock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
             };
@@ -242,6 +243,7 @@ protected virtual bool ValidateCorrelationId(AuthenticationProperties properties
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                SameSite = SameSiteEnforcementMode.Lax,
                 Secure = Request.IsHttps
             };
             Response.Cookies.Delete(cookieName, cookieOptions);

src/Microsoft.AspNetCore.CookiePolicy/CookiePolicyMiddleware.cs

@@ -74,7 +74,7 @@ public IResponseCookies Cookies
 
             private bool PolicyRequiresCookieOptions()
             {
-                return Policy.SameSite != SameSitePolicy.None || Policy.HttpOnly != HttpOnlyPolicy.None || Policy.Secure != CookieSecurePolicy.None;
+                return Policy.SameSite != MinimumSameSiteStrictnessPolicy.None || Policy.HttpOnly != HttpOnlyPolicy.None || Policy.Secure != CookieSecurePolicy.None;
             }
 
             public void Append(string key, string value)
@@ -153,19 +153,19 @@ private void ApplyPolicy(CookieOptions options)
                 }
                 switch (Policy.SameSite)
                 {
-                    case SameSitePolicy.None:
+                    case MinimumSameSiteStrictnessPolicy.None:
                         break;
-                    case SameSitePolicy.LaxOrStrict:
+                    case MinimumSameSiteStrictnessPolicy.Lax:
                         if (options.SameSite == SameSiteEnforcementMode.None)
                         {
                             options.SameSite = SameSiteEnforcementMode.Lax;
                         }
                         break;
-                    case SameSitePolicy.AlwaysStrict:
+                    case MinimumSameSiteStrictnessPolicy.Strict:
                         options.SameSite = SameSiteEnforcementMode.Strict;
                         break;
                     default:
-                        throw new InvalidOperationException();
+                        throw new InvalidOperationException($"Unrecognized {nameof(MinimumSameSiteStrictnessPolicy)} value {Policy.SameSite.ToString()}");
                 }
                 switch (Policy.HttpOnly)
                 {
@@ -175,7 +175,7 @@ private void ApplyPolicy(CookieOptions options)
                     case HttpOnlyPolicy.None:
                         break;
                     default:
-                        throw new InvalidOperationException();
+                        throw new InvalidOperationException($"Unrecognized {nameof(HttpOnlyPolicy)} value {Policy.HttpOnly.ToString()}");
                 }
             }
         }

src/Microsoft.AspNetCore.CookiePolicy/CookiePolicyOptions.cs

@@ -15,7 +15,7 @@ public class CookiePolicyOptions
         /// <summary>
         /// Affects the cookie's same site attribute.
         /// </summary>
-        public SameSitePolicy SameSite { get; set; } = SameSitePolicy.None;
+        public MinimumSameSiteStrictnessPolicy SameSite { get; set; } = MinimumSameSiteStrictnessPolicy.Strict;
 
         /// <summary>
         /// Affects whether cookies must be HttpOnly.

src/Microsoft.AspNetCore.CookiePolicy/SameSitePolicy.cs

@@ -3,10 +3,10 @@
 
 namespace Microsoft.AspNetCore.CookiePolicy
 {
-    public enum SameSitePolicy
+    public enum MinimumSameSiteStrictnessPolicy
     {
         None = 0,
-        LaxOrStrict,
-        AlwaysStrict
+        Lax,
+        Strict
     }
 }

test/Microsoft.AspNetCore.Authentication.Test/CookieTests.cs

@@ -136,7 +136,7 @@ public async Task SignInCausesDefaultCookieToBeCreated()
             Assert.StartsWith("TestCookie=", setCookie);
             Assert.Contains("; path=/", setCookie);
             Assert.Contains("; httponly", setCookie);
-            Assert.DoesNotContain("; samesite=", setCookie);
+            Assert.Contains("; samesite=", setCookie);
             Assert.DoesNotContain("; expires=", setCookie);
             Assert.DoesNotContain("; domain=", setCookie);
             Assert.DoesNotContain("; secure", setCookie);