Commit efc5efba authored by Amanda's avatar Amanda
Browse files

cookie: Change default same-site value to Lax

As per https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-00,
the default value is now Lax.

This change was introduced in Chrome 80 and Firefox 96.
parent 8d5f7c43
Pipeline #469049 passed with stages
in 7 minutes and 56 seconds
......@@ -137,7 +137,7 @@ string_to_same_site_policy (const char *string)
else if (strcmp (string, "None") == 0)
return SOUP_SAME_SITE_POLICY_NONE;
else
g_return_val_if_reached (SOUP_SAME_SITE_POLICY_NONE);
g_return_val_if_reached (SOUP_SAME_SITE_POLICY_LAX);
}
static const char *
......@@ -152,7 +152,7 @@ same_site_policy_to_string (SoupSameSitePolicy policy)
return "None";
}
g_return_val_if_reached ("None");
g_return_val_if_reached ("Lax");
}
static SoupCookie*
......
......@@ -170,6 +170,7 @@ parse_one_cookie (const char *header, GUri *origin)
SoupCookie *cookie;
cookie = g_slice_new0 (SoupCookie);
soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_LAX);
/* Parse the NAME */
start = skip_lws (header);
......@@ -233,15 +234,15 @@ parse_one_cookie (const char *header, GUri *origin)
} else if (MATCH_NAME ("samesite")) {
if (has_value) {
char *policy = parse_value (&p, TRUE);
if (g_ascii_strcasecmp (policy, "Lax") == 0)
soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_LAX);
if (g_ascii_strcasecmp (policy, "None") == 0)
soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_NONE);
else if (g_ascii_strcasecmp (policy, "Strict") == 0)
soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_STRICT);
/* There is an explicit "None" value which is the default. */
/* There is an explicit "Lax" value which is the default */
g_free (policy);
}
/* Note that earlier versions of the same-site RFC treated invalid values as strict but
the latest revision simply ignores them. */
the latest revision assigns invalid SameSite values to Lax. */
} else {
/* Ignore unknown attributes, but we still have
* to skip over the value.
......@@ -328,6 +329,7 @@ cookie_new_internal (const char *name, const char *value,
cookie->domain = g_strdup (domain);
cookie->path = g_strdup (path);
soup_cookie_set_max_age (cookie, max_age);
cookie->same_site_policy = SOUP_SAME_SITE_POLICY_LAX;
return cookie;
}
......@@ -359,6 +361,9 @@ cookie_new_internal (const char *name, const char *value,
* about setting the exact time that the cookie will expire, use
* [method@Cookie.set_expires].)
*
* As of version 3.4.0 the default value of a cookie's same-site-policy
* is %SOUP_SAME_SITE_POLICY_LAX.
*
* Returns: a new #SoupCookie.
**/
SoupCookie *
......@@ -397,6 +402,9 @@ soup_cookie_new (const char *name, const char *value,
* appropriate string for the domain if you want to actually make use
* of the cookie.
*
* As of version 3.4.0 the default value of a cookie's same-site-policy
* is %SOUP_SAME_SITE_POLICY_LAX.
*
* Returns: (nullable): a new #SoupCookie, or %NULL if it could
* not be parsed, or contained an illegal "domain" attribute for a
* cookie originating from @origin.
......
......@@ -332,11 +332,12 @@ do_cookies_parsing_test (void)
got1 = TRUE;
g_assert_true (soup_cookie_get_http_only (cookie));
g_assert_true (soup_cookie_get_expires (cookie) != NULL);
g_assert_cmpint (soup_cookie_get_same_site_policy (cookie), ==, SOUP_SAME_SITE_POLICY_LAX);
} else if (!strcmp (soup_cookie_get_name (cookie), "two")) {
got2 = TRUE;
g_assert_true (soup_cookie_get_http_only (cookie));
g_assert_true (soup_cookie_get_expires (cookie) != NULL);
g_assert_cmpint (soup_cookie_get_same_site_policy (cookie), ==, SOUP_SAME_SITE_POLICY_NONE);
g_assert_cmpint (soup_cookie_get_same_site_policy (cookie), ==, SOUP_SAME_SITE_POLICY_LAX);
} else if (!strcmp (soup_cookie_get_name (cookie), "three")) {
got3 = TRUE;
g_assert_true (soup_cookie_get_http_only (cookie));
......
......@@ -13,21 +13,24 @@ static void
same_site_setup (SameSiteFixture *fixture,
gconstpointer data)
{
SoupCookie *cookie_none, *cookie_lax, *cookie_strict;
SoupCookie *cookie_none, *cookie_lax, *cookie_strict, *cookie_default;
fixture->origin_uri = g_uri_parse ("http://127.0.0.1", SOUP_HTTP_URI_FLAGS, NULL);
fixture->cross_uri = g_uri_parse ("http://localhost", SOUP_HTTP_URI_FLAGS, NULL);
fixture->jar = soup_cookie_jar_new ();
cookie_none = soup_cookie_new ("none", "1", "127.0.0.1", "/", 1000);
soup_cookie_set_same_site_policy (cookie_none, SOUP_SAME_SITE_POLICY_NONE);
cookie_lax = soup_cookie_new ("lax", "1", "127.0.0.1", "/", 1000);
soup_cookie_set_same_site_policy (cookie_lax, SOUP_SAME_SITE_POLICY_LAX);
cookie_strict = soup_cookie_new ("strict", "1", "127.0.0.1", "/", 1000);
soup_cookie_set_same_site_policy (cookie_strict, SOUP_SAME_SITE_POLICY_STRICT);
cookie_default = soup_cookie_new ("default", "1", "127.0.0.1", "/", 1000);
soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_none);
soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_lax);
soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_strict);
soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_default);
}
static void
......@@ -52,10 +55,10 @@ assert_highest_policy_visible (GSList *cookies, SoupSameSitePolicy policy)
switch (policy) {
case SOUP_SAME_SITE_POLICY_STRICT:
expected_count = 3;
expected_count = 4;
break;
case SOUP_SAME_SITE_POLICY_LAX:
expected_count = 2;
expected_count = 3;
break;
case SOUP_SAME_SITE_POLICY_NONE:
expected_count = 1;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment