From 18c2f031223819318fe13f15a2ce776bdc160be0 Mon Sep 17 00:00:00 2001 From: Scott Addie Date: Wed, 20 Nov 2019 14:02:27 -0600 Subject: [PATCH 1/2] Add breaking change for ASP.NET Core 3.0 --- docs/core/compatibility/2.2-3.0.md | 6 ++- docs/core/compatibility/aspnetcore.md | 6 ++- .../http-cookie-samesite-defaults-change.md | 42 +++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md diff --git a/docs/core/compatibility/2.2-3.0.md b/docs/core/compatibility/2.2-3.0.md index 7c14898657480..abcfd4d0dfb76 100644 --- a/docs/core/compatibility/2.2-3.0.md +++ b/docs/core/compatibility/2.2-3.0.md @@ -1,7 +1,7 @@ --- title: Breaking changes, version 2.2 to 3.0 - .NET Core description: Lists the breaking changes from version 2.2 to version 3.0 of .NET Core, ASP.NET Core, and EF Core. -ms.date: "10/16/2019" +ms.date: "11/20/2019" --- # Breaking changes for migration from Version 2.2 to 3.0 @@ -81,6 +81,10 @@ If you're migrating from version 2.2 to version 3.0 of .NET Core, ASP.NET Core, *** +[!INCLUDE[HTTP: Some cookie SameSite default values changed](~/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md)] + +*** + [!INCLUDE[HTTP: Synchronous IO disabled by default](~/includes/core-changes/aspnetcore/3.0/http-synchronous-io-disabled.md)] *** diff --git a/docs/core/compatibility/aspnetcore.md b/docs/core/compatibility/aspnetcore.md index 046f87051a284..88e9a3c1cc1d1 100644 --- a/docs/core/compatibility/aspnetcore.md +++ b/docs/core/compatibility/aspnetcore.md @@ -1,7 +1,7 @@ --- title: ASP.NET Core breaking changes - .NET Core description: Lists the breaking changes in ASP.NET Core. -ms.date: "10/17/2019" +ms.date: "11/20/2019" author: "scottaddie" ms.author: "scaddie" --- @@ -83,6 +83,10 @@ The following is a list of ASP.NET Core breaking changes by ASP.NET Core version *** +[!INCLUDE[HTTP: Some cookie SameSite default values changed](~/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md)] + +*** + [!INCLUDE[HTTP: Synchronous IO disabled by default](~/includes/core-changes/aspnetcore/3.0/http-synchronous-io-disabled.md)] *** diff --git a/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md b/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md new file mode 100644 index 0000000000000..1c962538cfd26 --- /dev/null +++ b/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md @@ -0,0 +1,42 @@ +### HTTP: Some cookie SameSite defaults changed to None + +`SameSite` is an option for cookies that can help mitigate some Cross-Site Request Forgery (CSRF) attacks. When this option was initially introduced, inconsistent defaults were used across various ASP.NET Core APIs. The inconsistency has led to confusing results. As of ASP.NET Core 3.0, these defaults are better aligned. This is an opt-in feature on a per-component basis. + +#### Version introduced + +3.0 + +#### Old behavior + +APIs defaulted to `SameSiteMode.Lax`. + +#### New behavior + +APIs default to `SameSiteMode.None`. + +#### Reason for change + +The default value was changed to make `SameSite` an opt-in feature. + +#### Recommended action + +Each component that emits cookies needs to decide if `SameSite` is appropriate for its scenarios. Review your usage of the affected APIs and reconfigure `SameSite` as needed. + +#### Category + +ASP.NET Core + +#### Affected APIs + +- +- + + + \ No newline at end of file From bd51a9c105fb0563655cbdab0aa6ce55f38e1843 Mon Sep 17 00:00:00 2001 From: Scott Addie Date: Wed, 20 Nov 2019 15:09:14 -0600 Subject: [PATCH 2/2] react to feedback --- .../aspnetcore/3.0/http-cookie-samesite-defaults-change.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md b/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md index 1c962538cfd26..68b2622f8c9de 100644 --- a/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md +++ b/includes/core-changes/aspnetcore/3.0/http-cookie-samesite-defaults-change.md @@ -1,6 +1,6 @@ ### HTTP: Some cookie SameSite defaults changed to None -`SameSite` is an option for cookies that can help mitigate some Cross-Site Request Forgery (CSRF) attacks. When this option was initially introduced, inconsistent defaults were used across various ASP.NET Core APIs. The inconsistency has led to confusing results. As of ASP.NET Core 3.0, these defaults are better aligned. This is an opt-in feature on a per-component basis. +`SameSite` is an option for cookies that can help mitigate some Cross-Site Request Forgery (CSRF) attacks. When this option was initially introduced, inconsistent defaults were used across various ASP.NET Core APIs. The inconsistency has led to confusing results. As of ASP.NET Core 3.0, these defaults are better aligned. You must opt in to this feature on a per-component basis. #### Version introduced @@ -8,11 +8,11 @@ #### Old behavior -APIs defaulted to `SameSiteMode.Lax`. +Similar ASP.NET Core APIs used different default values. An example of the inconsistency is seen in `HttpResponse.Cookies.Append(String, String)` and `HttpResponse.Cookies.Append(String, String, CookieOptions)`, which defaulted to `SameSiteMode.None` and `SameSiteMode.Lax`, respectively. #### New behavior -APIs default to `SameSiteMode.None`. +All the affected APIs default to `SameSiteMode.None`. #### Reason for change @@ -39,4 +39,3 @@ ASP.NET Core - `Overload:Microsoft.AspNetCore.Builder.CookiePolicyOptions.MinimumSameSitePolicy` --> - \ No newline at end of file