Sets the default cookie secure policy to None

2017-08-29 11:24:36 -07:00 · 2017-08-29 11:24:36 -07:00 · 12e9430d89
parent ac0ce9c8ee
commit 12e9430d89
3 changed files with 32 additions and 4 deletions
--- a/src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs
+++ b/src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs
@ -19,7 +19,14 @@ namespace Microsoft.AspNetCore.Antiforgery
        private CookieBuilder _cookieBuilder = new CookieBuilder
        {
            SameSite = SameSiteMode.Strict,
-            HttpOnly = true
+            HttpOnly = true,
+
+            // Some browsers do not allow non-secure endpoints to set cookies with a 'secure' flag or overwrite cookies
+            // whose 'secure' flag is set (http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-alone.html).
+            // Since mixing secure and non-secure endpoints is a common scenario in applications, we are relaxing the
+            // restriction on secure policy on some cookies by setting to 'None'. Cookies related to authentication or
+            // authorization use a stronger policy than 'None'.
+            SecurePolicy = CookieSecurePolicy.None,
        };

        /// <summary>
--- a/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/AntiforgeryOptionsSetupTest.cs
+++ b/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/AntiforgeryOptionsSetupTest.cs
@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Xunit;
@ -58,5 +59,15 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
            // Assert
            Assert.Equal("antiforgery", cookieName);
        }
+
+        [Fact]
+        public void AntiforgeryOptions_SetsCookieSecurePolicy_ToNone_ByDefault()
+        {
+            // Arrange & Act
+            var options = new AntiforgeryOptions();
+
+            // Assert
+            Assert.Equal(CookieSecurePolicy.None, options.Cookie.SecurePolicy);
+        }
    }
 }
--- a/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTokenStoreTest.cs
+++ b/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTokenStoreTest.cs
@ -236,9 +236,16 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
        }

        [Theory]
-        [InlineData(CookieSecurePolicy.Always, true)]
-        [InlineData(CookieSecurePolicy.None, null)]
-        public void SaveCookieToken(CookieSecurePolicy policy, bool? expectedCookieSecureFlag)
+        [InlineData(false, CookieSecurePolicy.SameAsRequest, null)]
+        [InlineData(true, CookieSecurePolicy.SameAsRequest, true)]
+        [InlineData(false, CookieSecurePolicy.Always, true)]
+        [InlineData(true, CookieSecurePolicy.Always, true)]
+        [InlineData(false, CookieSecurePolicy.None, null)]
+        [InlineData(true, CookieSecurePolicy.None, null)]
+        public void SaveCookieToken_HonorsCookieSecurePolicy_OnOptions(
+            bool isRequestSecure,
+            CookieSecurePolicy policy,
+            bool? expectedCookieSecureFlag)
        {
            // Arrange
            var token = "serialized-value";
@ -246,6 +253,9 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
            var cookies = new MockResponseCookieCollection();

            var httpContext = new Mock<HttpContext>();
+            httpContext
+                .Setup(hc => hc.Request.IsHttps)
+                .Returns(isRequestSecure);
            httpContext
                .Setup(o => o.Response.Cookies)
                .Returns(cookies);