SameSite.None for cookies is ignored #12125
Comments
|
That's because "None" isn't defined in the current spec as a valid header value, only Lax and Strict. None specified by the absence of the SameSite key. Apparently None is defined in a new draft standard where they change the default to Lax. This is a very problematic change as Lax is incompatible with OAuth & OIDC. We'd have to patch every supported version and add support to Katana. It's also noted in https://www.chromestatus.com/feature/5088147346030592 that None is incompatible with Safari, you end up with Strict behavior instead. That's an absolute block from making this change, there would be no combination of settings that worked in both Chrome and Safari. |
Tratcher
added
area-auth
|
This will likely need to be evaluated as a backport to 2.1/2.2/3.0. We will need to wait until we can validate major browsers support |
|
"• P0 - Chrome change (SameSite cookie - https://www.chromestatus.com/feature/5088147346030592) in Chrome 78 beta (Sep 19), and Chrome 80 stable (Jan 2020). |
|
Fixed in 3.1.0-preview1. Leaving this open to track all of the patches. |
* Re-implement SameSite for 2019 #12125 * Rename compat flag * Use Microsoft.AspNetCore.SuppressSameSiteNone compat key * Backport CookiePolicy quirk and sample * Patch config
* Re-implement SameSite for 2019 #12125 * Rename compat flag * References * Use Microsoft.AspNetCore.SuppressSameSiteNone compat key * Patchconfig * Port CookiePolicy fix
|
The patches are all in, right? I think this can be closed now. |
ghost
locked as resolved and limited conversation to collaborators
When setting SameSite to None in a cookie, the value isn't added to the actual cookie:
https://github.com/aspnet/AspNetCore/blob/master/src/Http/Headers/src/SetCookieHeaderValue.cs#L132-L136
This was fine until now because None was the default value used by all web browsers when the property is not set.
Unfortunately, Chrome is changing that, and starting with version 80 the default value will be Lax: https://www.chromestatus.com/feature/5088147346030592
It means that whenever we set SameSite to None in AspNetCore, no value is sent to the browser, and it's going to be interpreted as "Lax" by Chrome.
As a fix, we can either remove the
if (SameSite != SameSiteMode.None)check in SetCookieHeaderValue, or add a "SameSiteSet" field to detect when the user wants to let the browser decide of the default value.The text was updated successfully, but these errors were encountered: