From e5de4e672cbe879d598529c257539b6a7d1a7bf9 Mon Sep 17 00:00:00 2001 From: Kiran Challa Date: Wed, 10 Jan 2018 15:34:48 -0800 Subject: [PATCH] Marked Antiforgery cookie as essential Related to https://github.com/aspnet/Home/issues/2408 : Determine if the antiforgery cookie is considered essential --- src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs b/src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs index 405905b587..e58f3f73c7 100644 --- a/src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs +++ b/src/Microsoft.AspNetCore.Antiforgery/AntiforgeryOptions.cs @@ -21,6 +21,9 @@ namespace Microsoft.AspNetCore.Antiforgery SameSite = SameSiteMode.Strict, HttpOnly = true, + // Check the comment on CookieBuilder for more details + IsEssential = true, + // Some browsers do not allow non-secure endpoints to set cookies with a 'secure' flag or overwrite cookies // whose 'secure' flag is set (http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-alone.html). // Since mixing secure and non-secure endpoints is a common scenario in applications, we are relaxing the @@ -45,6 +48,10 @@ namespace Microsoft.AspNetCore.Antiforgery /// /// defaults to . /// defaults to true. + /// defaults to true. The cookie used by the antiforgery system + /// is part of a security system that is necessary when using cookie-based authentication. It should be + /// considered required for the application to function. + /// defaults to . /// /// public CookieBuilder Cookie