Support for Cookie "SameSite" Flag

[mariusschulz]

Are there any plans to implement support for the cookie SameSite flag within the cookie authentication middleware? The flag helps mitigate CSRF attacks and is currently recognized by Chrome and Opera, and possibly more browsers soon.

I'm thinking about a new property on CookieAuthenticationOptions, as illustrated here:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    SameSite = SameSitePolicy.Always // or SameSitePolicy.None
    // ...
});

I think this feature has a very good cost-benefit ratio. The implementation should be relatively straightforward, and it wouldn't hurt to have an additional protection measure against CSRF besides antiforgery tokens.

[Tratcher]

This was previously discussed here: #831 (comment)

SameSite is still in draft form: https://tools.ietf.org/html/draft-west-first-party-cookies-07

We may add support for it when the spec is finished.

[Tratcher]

@blowdart has requested this be re-triaged.

[Tratcher]

Depends on aspnet/HttpAbstractions#710

[Eilon]

Need to also make sure we update the Cookie Policy middleware to allow setting this.