Changed CookieTempDataProvider's CookieSecurePolicy from SameAsRequest to None

This commit is contained in:
Kiran Challa 2017-08-29 11:52:38 -07:00
parent cfc05104e4
commit b2f9ad1b67
3 changed files with 24 additions and 9 deletions

View File

@ -17,7 +17,13 @@ namespace Microsoft.AspNetCore.Mvc
Name = CookieTempDataProvider.CookieName, Name = CookieTempDataProvider.CookieName,
HttpOnly = true, HttpOnly = true,
SameSite = SameSiteMode.Strict, SameSite = SameSiteMode.Strict,
SecurePolicy = CookieSecurePolicy.SameAsRequest,
// Some browsers do not allow non-secure endpoints to set cookies with a 'secure' flag or overwrite cookies
// whose 'secure' flag is set (http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-alone.html).
// Since mixing secure and non-secure endpoints is a common scenario in applications, we are relaxing the
// restriction on secure policy on some cookies by setting to 'None'. Cookies related to authentication or
// authorization use a stronger policy than 'None'.
SecurePolicy = CookieSecurePolicy.None,
}; };
/// <summary> /// <summary>

View File

@ -137,7 +137,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
[Theory] [Theory]
[InlineData(true)] [InlineData(true)]
[InlineData(false)] [InlineData(false)]
public async Task CookieTempDataProviderCookie_SetsSecureAttributeOnCookie_OnlyIfRequestIsSecure(bool secureRequest) public async Task CookieTempDataProviderCookie_DoesNotSetsSecureAttributeOnCookie(bool secureRequest)
{ {
// Arrange // Arrange
var protocol = secureRequest ? "https" : "http"; var protocol = secureRequest ? "https" : "http";
@ -159,7 +159,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
Assert.NotNull(setCookieHeader); Assert.NotNull(setCookieHeader);
Assert.Equal("/", setCookieHeader.Path); Assert.Equal("/", setCookieHeader.Path);
Assert.Null(setCookieHeader.Domain.Value); Assert.Null(setCookieHeader.Domain.Value);
Assert.Equal(secureRequest, setCookieHeader.Secure); Assert.False(setCookieHeader.Secure);
Assert.Null(setCookieHeader.Expires); Assert.Null(setCookieHeader.Expires);
} }
} }

View File

@ -162,9 +162,16 @@ namespace Microsoft.AspNetCore.Mvc.ViewFeatures
} }
[Theory] [Theory]
[InlineData(true)] [InlineData(true, CookieSecurePolicy.None, false)]
[InlineData(false)] [InlineData(false, CookieSecurePolicy.None, false)]
public void SaveTempData_SetsSecureAttributeOnCookie_OnlyIfRequestIsSecure(bool isSecure) [InlineData(true, CookieSecurePolicy.Always, true)]
[InlineData(false, CookieSecurePolicy.Always, true)]
[InlineData(true, CookieSecurePolicy.SameAsRequest, true)]
[InlineData(false, CookieSecurePolicy.SameAsRequest, false)]
public void SaveTempData_HonorsCookieSecurePolicy_OnOptions(
bool isRequestSecure,
CookieSecurePolicy cookieSecurePolicy,
bool expectedSecureFlag)
{ {
// Arrange // Arrange
var values = new Dictionary<string, object>(); var values = new Dictionary<string, object>();
@ -173,7 +180,9 @@ namespace Microsoft.AspNetCore.Mvc.ViewFeatures
var expectedDataToProtect = tempDataProviderStore.Serialize(values); var expectedDataToProtect = tempDataProviderStore.Serialize(values);
var expectedDataInCookie = WebEncoders.Base64UrlEncode(expectedDataToProtect); var expectedDataInCookie = WebEncoders.Base64UrlEncode(expectedDataToProtect);
var dataProtector = new PassThroughDataProtector(); var dataProtector = new PassThroughDataProtector();
var tempDataProvider = GetProvider(dataProtector); var options = new CookieTempDataProviderOptions();
options.Cookie.SecurePolicy = cookieSecurePolicy;
var tempDataProvider = GetProvider(dataProtector, options);
var responseCookies = new MockResponseCookieCollection(); var responseCookies = new MockResponseCookieCollection();
var httpContext = new Mock<HttpContext>(); var httpContext = new Mock<HttpContext>();
httpContext httpContext
@ -181,7 +190,7 @@ namespace Microsoft.AspNetCore.Mvc.ViewFeatures
.Returns("/"); .Returns("/");
httpContext httpContext
.SetupGet(hc => hc.Request.IsHttps) .SetupGet(hc => hc.Request.IsHttps)
.Returns(isSecure); .Returns(isRequestSecure);
httpContext httpContext
.Setup(hc => hc.Response.Cookies) .Setup(hc => hc.Response.Cookies)
.Returns(responseCookies); .Returns(responseCookies);
@ -196,7 +205,7 @@ namespace Microsoft.AspNetCore.Mvc.ViewFeatures
Assert.Equal(expectedDataInCookie, cookieInfo.Value); Assert.Equal(expectedDataInCookie, cookieInfo.Value);
Assert.Equal(expectedDataToProtect, dataProtector.PlainTextToProtect); Assert.Equal(expectedDataToProtect, dataProtector.PlainTextToProtect);
Assert.Equal("/", cookieInfo.Options.Path); Assert.Equal("/", cookieInfo.Options.Path);
Assert.Equal(isSecure, cookieInfo.Options.Secure); Assert.Equal(expectedSecureFlag, cookieInfo.Options.Secure);
Assert.True(cookieInfo.Options.HttpOnly); Assert.True(cookieInfo.Options.HttpOnly);
Assert.Null(cookieInfo.Options.Expires); Assert.Null(cookieInfo.Options.Expires);
Assert.Null(cookieInfo.Options.Domain); Assert.Null(cookieInfo.Options.Domain);