Update OIDC SameSite sample (#18934)

2020-02-14 10:07:46 -08:00 · 2020-02-14 10:07:46 -08:00 · 7e094d7b7d
parent 00e8e953b4
commit 7e094d7b7d
1 changed files with 45 additions and 7 deletions
--- a/src/Security/Authentication/OpenIdConnect/samples/OpenIdConnectSample/Startup.cs
+++ b/src/Security/Authentication/OpenIdConnect/samples/OpenIdConnectSample/Startup.cs
@ -35,20 +35,58 @@ namespace OpenIdConnectSample

        private void CheckSameSite(HttpContext httpContext, CookieOptions options)
        {
-            if (options.SameSite > SameSiteMode.Unspecified)
+            if (options.SameSite == SameSiteMode.None)
            {
-                var userAgent = httpContext.Request.Headers["User-Agent"];
-                // TODO: Use your User Agent library of choice here.
-                if (userAgent.Contains("CPU iPhone OS 12") // Also covers iPod touch
-                    || userAgent.Contains("iPad; CPU OS 12")
-                    // Safari 12 and 13 are both broken on Mojave
-                    || userAgent.Contains("Macintosh; Intel Mac OS X 10_14"))
+                var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
+
+                if (DisallowsSameSiteNone(userAgent))
                {
                    options.SameSite = SameSiteMode.Unspecified;
                }
            }
        }

+        // TODO: Use your User Agent library of choice here.
+        public static bool DisallowsSameSiteNone(string userAgent)
+        {
+            if (string.IsNullOrEmpty(userAgent))
+            {
+                return false;
+            }
+
+            // Cover all iOS based browsers here. This includes:
+            // - Safari on iOS 12 for iPhone, iPod Touch, iPad
+            // - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
+            // - Chrome on iOS 12 for iPhone, iPod Touch, iPad
+            // All of which are broken by SameSite=None, because they use the iOS networking stack
+            if (userAgent.Contains("CPU iPhone OS 12") || userAgent.Contains("iPad; CPU OS 12"))
+            {
+                return true;
+            }
+
+            // Cover Mac OS X based browsers that use the Mac OS networking stack. This includes:
+            // - Safari on Mac OS X.
+            // This does not include:
+            // - Chrome on Mac OS X
+            // Because they do not use the Mac OS networking stack.
+            if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
+                userAgent.Contains("Version/") && userAgent.Contains("Safari"))
+            {
+                return true;
+            }
+
+            // Cover Chrome 50-69, because some versions are broken by SameSite=None, 
+            // and none in this range require it.
+            // Note: this covers some pre-Chromium Edge versions, 
+            // but pre-Chromium Edge does not require SameSite=None.
+            if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
+            {
+                return true;
+            }
+
+            return false;
+        }
+
        public void ConfigureServices(IServiceCollection services)
        {
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();