From 8f414390cc72da90e9a450a2127acaea247e3dda Mon Sep 17 00:00:00 2001 From: Robert Paprocki Date: Tue, 31 May 2016 13:41:38 -0700 Subject: Implement support for SameSite attribute SameSite is an update to RFC6265, allowing servers to assert that user agents should not send certain cookies along with cross-site requests. See: https://tools.ietf.org/html/draft-west-first-party-cookies-07 --- lib/resty/cookie.lua | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'lib') diff --git a/lib/resty/cookie.lua b/lib/resty/cookie.lua index 11d435f..b61877e 100644 --- a/lib/resty/cookie.lua +++ b/lib/resty/cookie.lua @@ -8,6 +8,7 @@ local sub = string.sub local format = string.format local log = ngx.log local ERR = ngx.ERR +local WARN = ngx.WARN local ngx_header = ngx.header local EQUAL = byte("=") @@ -136,6 +137,17 @@ local function bake(cookie) if cookie["max-age"] then cookie.max_age = cookie["max-age"] end + + if (cookie.samesite) then + local samesite = cookie.samesite + + -- if we dont have a valid-looking attribute, ignore the attribute + if (samesite ~= "Strict" and samesite ~= "Lax") then + log(WARN, "SameSite value must be 'Strict' or 'Lax'") + cookie.samesite = nil + end + end + local str = cookie.key .. "=" .. cookie.value .. (cookie.expires and "; Expires=" .. cookie.expires or "") .. (cookie.max_age and "; Max-Age=" .. cookie.max_age or "") @@ -143,6 +155,7 @@ local function bake(cookie) .. (cookie.path and "; Path=" .. cookie.path or "") .. (cookie.secure and "; Secure" or "") .. (cookie.httponly and "; HttpOnly" or "") + .. (cookie.samesite and "; SameSite=" .. cookie.samesite or "") .. (cookie.extension and "; " .. cookie.extension or "") return str end -- cgit v1.2.3-70-g09d2