-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Legacy Manage SameSite Cookie Settings #1126 #1174
Conversation
@@ -506,6 +506,113 @@ class UtilTests extends TestClass { | |||
Assert.equal("p.r.e.f.i.x.bing.com", UrlHelper.parseHost("http://wwW2.p.r.e.f.i.x.bing.com/")); | |||
} | |||
}); | |||
|
|||
this.testCase({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Backported the SameSite code and tests added to the current version
@@ -4,6 +4,13 @@ | |||
/// <reference path="./Logging.ts" /> | |||
/// <reference path="./UtilHelpers.ts" /> | |||
|
|||
|
|||
function _endsWith(value:string, search:string) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Backported the SameSite code and tests added to the current version
// UCBrowser < 12.13.2 ignores Set-Cookie headers with SameSite=None | ||
// NB: this rule isn't complete - you need regex to make a complete rule. | ||
// See: https://www.chromium.org/updates/same-site/incompatible-clients | ||
if (userAgent.indexOf("UCBrowser/12") !== -1 || userAgent.indexOf("UCBrowser/11") !== -1) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While these are not exactly the same as that defined by https://www.chromium.org/updates/same-site/incompatible-clients this is using string validation rather than regex for better performance and the set of UA's is based on actual usage for AI and other MS sites.
// Cover Chrome 50-69, because some versions are broken by SameSite=None, and none in this range require it. | ||
// Note: this covers some pre-Chromium Edge versions, but pre-Chromim Edge does not require SameSite=None, so this is fine. | ||
// Note: this regex applies to Windows, Mac OS X, and Linux, deliberately. | ||
if (userAgent.indexOf("Chrome/5") !== -1 || userAgent.indexOf("Chrome/6") !== -1) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While this will match Chrome versions 50, 67, 68 and 69 as incompatible (when they actually are compatible) is not expected to cause any issues as these older versions today are already functional without the SameSite attribute / restriction, which is only really required for the later versions).
@@ -329,7 +397,15 @@ module Microsoft.ApplicationInsights { | |||
|
|||
if (Util.document.location && Util.document.location.protocol === "https:") { | |||
secureAttrib = ";secure"; | |||
value = value + ";SameSite=None"; // SameSite can only be changed on secure pages | |||
if (Util._uaDisallowsSameSiteNone === null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optimization, so we only perform this check once rather than for every cookie
Address UA validation when setting SameSite attribute on the cookie for the Legacy build