Sets the default cookie secure policy to None
This commit is contained in:
parent
ac0ce9c8ee
commit
12e9430d89
|
|
@ -19,7 +19,14 @@ namespace Microsoft.AspNetCore.Antiforgery
|
||||||
private CookieBuilder _cookieBuilder = new CookieBuilder
|
private CookieBuilder _cookieBuilder = new CookieBuilder
|
||||||
{
|
{
|
||||||
SameSite = SameSiteMode.Strict,
|
SameSite = SameSiteMode.Strict,
|
||||||
HttpOnly = true
|
HttpOnly = true,
|
||||||
|
|
||||||
|
// Some browsers do not allow non-secure endpoints to set cookies with a 'secure' flag or overwrite cookies
|
||||||
|
// whose 'secure' flag is set (http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-alone.html).
|
||||||
|
// Since mixing secure and non-secure endpoints is a common scenario in applications, we are relaxing the
|
||||||
|
// restriction on secure policy on some cookies by setting to 'None'. Cookies related to authentication or
|
||||||
|
// authorization use a stronger policy than 'None'.
|
||||||
|
SecurePolicy = CookieSecurePolicy.None,
|
||||||
};
|
};
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,7 @@
|
||||||
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
|
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
|
||||||
|
|
||||||
using Microsoft.AspNetCore.DataProtection;
|
using Microsoft.AspNetCore.DataProtection;
|
||||||
|
using Microsoft.AspNetCore.Http;
|
||||||
using Microsoft.Extensions.DependencyInjection;
|
using Microsoft.Extensions.DependencyInjection;
|
||||||
using Microsoft.Extensions.Options;
|
using Microsoft.Extensions.Options;
|
||||||
using Xunit;
|
using Xunit;
|
||||||
|
|
@ -58,5 +59,15 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
// Assert
|
// Assert
|
||||||
Assert.Equal("antiforgery", cookieName);
|
Assert.Equal("antiforgery", cookieName);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public void AntiforgeryOptions_SetsCookieSecurePolicy_ToNone_ByDefault()
|
||||||
|
{
|
||||||
|
// Arrange & Act
|
||||||
|
var options = new AntiforgeryOptions();
|
||||||
|
|
||||||
|
// Assert
|
||||||
|
Assert.Equal(CookieSecurePolicy.None, options.Cookie.SecurePolicy);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -236,9 +236,16 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[InlineData(CookieSecurePolicy.Always, true)]
|
[InlineData(false, CookieSecurePolicy.SameAsRequest, null)]
|
||||||
[InlineData(CookieSecurePolicy.None, null)]
|
[InlineData(true, CookieSecurePolicy.SameAsRequest, true)]
|
||||||
public void SaveCookieToken(CookieSecurePolicy policy, bool? expectedCookieSecureFlag)
|
[InlineData(false, CookieSecurePolicy.Always, true)]
|
||||||
|
[InlineData(true, CookieSecurePolicy.Always, true)]
|
||||||
|
[InlineData(false, CookieSecurePolicy.None, null)]
|
||||||
|
[InlineData(true, CookieSecurePolicy.None, null)]
|
||||||
|
public void SaveCookieToken_HonorsCookieSecurePolicy_OnOptions(
|
||||||
|
bool isRequestSecure,
|
||||||
|
CookieSecurePolicy policy,
|
||||||
|
bool? expectedCookieSecureFlag)
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
var token = "serialized-value";
|
var token = "serialized-value";
|
||||||
|
|
@ -246,6 +253,9 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
var cookies = new MockResponseCookieCollection();
|
var cookies = new MockResponseCookieCollection();
|
||||||
|
|
||||||
var httpContext = new Mock<HttpContext>();
|
var httpContext = new Mock<HttpContext>();
|
||||||
|
httpContext
|
||||||
|
.Setup(hc => hc.Request.IsHttps)
|
||||||
|
.Returns(isRequestSecure);
|
||||||
httpContext
|
httpContext
|
||||||
.Setup(o => o.Response.Cookies)
|
.Setup(o => o.Response.Cookies)
|
||||||
.Returns(cookies);
|
.Returns(cookies);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue