1
0
Fork 0
mirror of https://github.com/actix/actix-web.git synced 2024-12-21 23:56:35 +00:00

allow explicit SameSite=None cookies (#1282)

fixes #1035
This commit is contained in:
Rob Ede 2020-01-23 01:08:23 +00:00 committed by Yuki Okushi
parent 2e9ab0625e
commit a3287948d1
4 changed files with 26 additions and 8 deletions

View file

@ -1,3 +1,9 @@
## Unreleased
* Setting a cookie's SameSite property, explicitly, to `SameSite::None` will now
result in `SameSite=None` being sent with the response Set-Cookie header.
To create a cookie without a SameSite attribute, remove any calls setting same_site.
## 2.0.0 ## 2.0.0
* `HttpServer::start()` renamed to `HttpServer::run()`. It also possible to * `HttpServer::start()` renamed to `HttpServer::run()`. It also possible to

View file

@ -1,5 +1,11 @@
# Changes # Changes
# [Unreleased]
### Fixed
* Allow `SameSite=None` cookies to be sent in a response.
## [1.0.1] - 2019-12-20 ## [1.0.1] - 2019-12-20
### Fixed ### Fixed

View file

@ -10,18 +10,26 @@ use std::fmt;
/// attribute is "Strict", then the cookie is never sent in cross-site requests. /// attribute is "Strict", then the cookie is never sent in cross-site requests.
/// If the `SameSite` attribute is "Lax", the cookie is only sent in cross-site /// If the `SameSite` attribute is "Lax", the cookie is only sent in cross-site
/// requests with "safe" HTTP methods, i.e, `GET`, `HEAD`, `OPTIONS`, `TRACE`. /// requests with "safe" HTTP methods, i.e, `GET`, `HEAD`, `OPTIONS`, `TRACE`.
/// If the `SameSite` attribute is not present (made explicit via the /// If the `SameSite` attribute is not present then the cookie will be sent as
/// `SameSite::None` variant), then the cookie will be sent as normal. /// normal. In some browsers, this will implicitly handle the cookie as if "Lax"
/// and in others, "None". It's best to explicitly set the `SameSite` attribute
/// to avoid inconsistent behavior.
///
/// **Note:** Depending on browser, the `Secure` attribute may be required for
/// `SameSite` "None" cookies to be accepted.
/// ///
/// **Note:** This cookie attribute is an HTTP draft! Its meaning and definition /// **Note:** This cookie attribute is an HTTP draft! Its meaning and definition
/// are subject to change. /// are subject to change.
///
/// More info about these draft changes can be found in the draft spec:
/// - https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum SameSite { pub enum SameSite {
/// The "Strict" `SameSite` attribute. /// The "Strict" `SameSite` attribute.
Strict, Strict,
/// The "Lax" `SameSite` attribute. /// The "Lax" `SameSite` attribute.
Lax, Lax,
/// No `SameSite` attribute. /// The "None" `SameSite` attribute.
None, None,
} }
@ -92,7 +100,7 @@ impl fmt::Display for SameSite {
match *self { match *self {
SameSite::Strict => write!(f, "Strict"), SameSite::Strict => write!(f, "Strict"),
SameSite::Lax => write!(f, "Lax"), SameSite::Lax => write!(f, "Lax"),
SameSite::None => Ok(()), SameSite::None => write!(f, "None"),
} }
} }
} }

View file

@ -746,10 +746,8 @@ impl<'c> Cookie<'c> {
} }
if let Some(same_site) = self.same_site() { if let Some(same_site) = self.same_site() {
if !same_site.is_none() {
write!(f, "; SameSite={}", same_site)?; write!(f, "; SameSite={}", same_site)?;
} }
}
if let Some(path) = self.path() { if let Some(path) = self.path() {
write!(f, "; Path={}", path)?; write!(f, "; Path={}", path)?;
@ -1037,7 +1035,7 @@ mod tests {
let cookie = Cookie::build("foo", "bar") let cookie = Cookie::build("foo", "bar")
.same_site(SameSite::None) .same_site(SameSite::None)
.finish(); .finish();
assert_eq!(&cookie.to_string(), "foo=bar"); assert_eq!(&cookie.to_string(), "foo=bar; SameSite=None");
} }
#[test] #[test]