From 8f414390cc72da90e9a450a2127acaea247e3dda Mon Sep 17 00:00:00 2001 From: Robert Paprocki Date: Tue, 31 May 2016 13:41:38 -0700 Subject: Implement support for SameSite attribute SameSite is an update to RFC6265, allowing servers to assert that user agents should not send certain cookies along with cross-site requests. See: https://tools.ietf.org/html/draft-west-first-party-cookies-07 --- t/sanity.t | 47 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 42 insertions(+), 5 deletions(-) (limited to 't') diff --git a/t/sanity.t b/t/sanity.t index 952b81e..cb52ae8 100644 --- a/t/sanity.t +++ b/t/sanity.t @@ -5,7 +5,7 @@ use Cwd qw(cwd); repeat_each(2); -plan tests => repeat_each() * (blocks() * 3 + 4); +plan tests => repeat_each() * (blocks() * 3 + 6); my $pwd = cwd(); @@ -53,8 +53,6 @@ Cookie: SID=31d4d96e407aad42; lang=en-US SID => 31d4d96e407aad42 lang => en-US - - === TEST 2: sanity 2 --- http_config eval: $::HttpConfig --- config @@ -188,7 +186,7 @@ SID => foo key = "Name", value = "Bob", path = "/", domain = "example.com", secure = true, httponly = true, expires = "Wed, 09 Jun 2021 10:18:14 GMT", max_age = 50, - extension = "a4334aebaec" + samesite = "Strict", extension = "a4334aebaec" }) if not ok then ngx.log(ngx.ERR, err) @@ -202,7 +200,7 @@ GET /t --- no_error_log [error] --- response_headers -Set-Cookie: Name=Bob; Expires=Wed, 09 Jun 2021 10:18:14 GMT; Max-Age=50; Domain=example.com; Path=/; Secure; HttpOnly; a4334aebaec +Set-Cookie: Name=Bob; Expires=Wed, 09 Jun 2021 10:18:14 GMT; Max-Age=50; Domain=example.com; Path=/; Secure; HttpOnly; SameSite=Strict; a4334aebaec --- response_body Set cookie @@ -307,3 +305,42 @@ GET /t --- raw_response_headers_unlike: Set-Cookie: Name=Bob; Path=/\r\nSet-Cookie: Age=20\r\nSet-Cookie: Name=Bob; Path=/ --- response_body Set cookie + + +=== TEST 9: set cookie with invalid SameSite attribute +--- http_config eval: $::HttpConfig +--- config + location /t { + content_by_lua ' + local ck = require "resty.cookie" + local cookie, err = ck:new() + if not cookie then + ngx.log(ngx.ERR, err) + return + end + + local ok, err = cookie:set({ + key = "Name", value = "Bob", path = "/", + domain = "example.com", secure = true, httponly = true, + expires = "Wed, 09 Jun 2021 10:18:14 GMT", max_age = 50, + samesite = "blahblah", extension = "a4334aebaec" + }) + if not ok then + ngx.log(ngx.ERR, err) + return + end + ngx.say("Set cookie") + '; + } +--- request +GET /t +--- no_error_log +[error] +--- error_log +SameSite value must be 'Strict' or 'Lax' +--- response_headers +Set-Cookie: Name=Bob; Expires=Wed, 09 Jun 2021 10:18:14 GMT; Max-Age=50; Domain=example.com; Path=/; Secure; HttpOnly; a4334aebaec +--- response_body +Set cookie + + -- cgit v1.2.3-70-g09d2