Legacy Manage SameSite Cookie Settings #1126 #1174
Conversation
| @@ -506,6 +506,113 @@ class UtilTests extends TestClass { | |||
| Assert.equal("p.r.e.f.i.x.bing.com", UrlHelper.parseHost("http://wwW2.p.r.e.f.i.x.bing.com/")); | |||
| } | |||
| }); | |||
|
|
|||
| this.testCase({ | |||
There was a problem hiding this comment.
Backported the SameSite code and tests added to the current version
| @@ -4,6 +4,13 @@ | |||
| /// <reference path="./Logging.ts" /> | |||
| /// <reference path="./UtilHelpers.ts" /> | |||
|
|
|||
|
|
|||
| function _endsWith(value:string, search:string) { | |||
There was a problem hiding this comment.
Backported the SameSite code and tests added to the current version
| // UCBrowser < 12.13.2 ignores Set-Cookie headers with SameSite=None | ||
| // NB: this rule isn't complete - you need regex to make a complete rule. | ||
| // See: https://www.chromium.org/updates/same-site/incompatible-clients | ||
| if (userAgent.indexOf("UCBrowser/12") !== -1 || userAgent.indexOf("UCBrowser/11") !== -1) { |
There was a problem hiding this comment.
While these are not exactly the same as that defined by https://www.chromium.org/updates/same-site/incompatible-clients this is using string validation rather than regex for better performance and the set of UA's is based on actual usage for AI and other MS sites.
| // Cover Chrome 50-69, because some versions are broken by SameSite=None, and none in this range require it. | ||
| // Note: this covers some pre-Chromium Edge versions, but pre-Chromim Edge does not require SameSite=None, so this is fine. | ||
| // Note: this regex applies to Windows, Mac OS X, and Linux, deliberately. | ||
| if (userAgent.indexOf("Chrome/5") !== -1 || userAgent.indexOf("Chrome/6") !== -1) { |
There was a problem hiding this comment.
While this will match Chrome versions 50, 67, 68 and 69 as incompatible (when they actually are compatible) is not expected to cause any issues as these older versions today are already functional without the SameSite attribute / restriction, which is only really required for the later versions).
| @@ -329,7 +397,15 @@ module Microsoft.ApplicationInsights { | |||
|
|
|||
| if (Util.document.location && Util.document.location.protocol === "https:") { | |||
| secureAttrib = ";secure"; | |||
| value = value + ";SameSite=None"; // SameSite can only be changed on secure pages | |||
| if (Util._uaDisallowsSameSiteNone === null) { | |||
There was a problem hiding this comment.
Optimization, so we only perform this check once rather than for every cookie
Address UA validation when setting SameSite attribute on the cookie for the Legacy build