New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SameSite to DiscardingCookie #10693
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -133,8 +133,14 @@ object Cookie { | |
* @param domain the cookie domain | ||
* @param secure whether this cookie is secured | ||
*/ | ||
case class DiscardingCookie(name: String, path: String = "/", domain: Option[String] = None, secure: Boolean = false) { | ||
def toCookie = Cookie(name, "", Some(Cookie.DiscardedMaxAge), path, domain, secure, false) | ||
case class DiscardingCookie( | ||
name: String, | ||
path: String = "/", | ||
domain: Option[String] = None, | ||
secure: Boolean = false, | ||
sameSite: Option[SameSite] = None | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we actually need pass the We probably want to use the broadest possible def toCookie = {
// `SameSite=None` requires `Secure`
val sameSite = if (secure) SameSite.None else SameSite.Lax
Cookie(name, "", Some(Cookie.DiscardedMaxAge), path, domain, secure, false, Some(sameSite))
}
This will potentially overwrite the existing There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @gmethvin Do you think it's safe to send Another concern I have: Could there be cases where setting SameSite=None would allow an attacker to delete a cookie in situations were it would not have been possible when using Lax? I mean, as a framework user, I set Samesite=Lax in Actually the more I think about this I think for the discard cookie we should just use the same SameSite attribute like when the cookie was created... I think that makes the most sense: In the end the user has control which SameSite attribute will be send (for session/flash cookies that would be in application.conf). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To be honest I haven't thought through all the potential browser bugs and special cases, so I guess that's a good point.
Yes, this would probably be the best solution. If we know the value of the original cookie that would be the most intuitive API. For session and flash cookies of course this would be easy, but I think for other cookies we would need to retrieve the original cookie from the request. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I don't think that is something the framework should care about. The framework user created the cookie, so the user should just make sure to set the correct SameSite attribute when discarding the cookie. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @gmethvin Actually this pull request is ready now. |
||
) { | ||
def toCookie = Cookie(name, "", Some(Cookie.DiscardedMaxAge), path, domain, secure, false, sameSite) | ||
} | ||
|
||
/** | ||
|
@@ -492,7 +498,7 @@ trait CookieBaker[T <: AnyRef] { self: CookieDataCodec => | |
} | ||
} | ||
|
||
def discard = DiscardingCookie(COOKIE_NAME, path, domain, secure) | ||
def discard = DiscardingCookie(COOKIE_NAME, path, domain, secure, sameSite) | ||
mkurz marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
/** | ||
* Builds the cookie object from the given data map. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this means you'll have to switch to this API to fix the samesite issue for custom cookies?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, you have to use this new method that takes the
Cookie.SameSite
param.