Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some Cookie SameSite defaults changed to None #348

Open
Tratcher opened this issue Mar 5, 2019 · 0 comments
Open

Some Cookie SameSite defaults changed to None #348

Tratcher opened this issue Mar 5, 2019 · 0 comments
Labels
3.0.0 Announcements related to ASP.NET Core 3.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs
Milestone
3.0.0-preview4

Comments

@Tratcher
Copy link
Member

Tratcher commented Mar 5, 2019
edited
Loading

Some Cookie SameSite defaults changed to None

SameSite is an option for cookies that can help mitigate some CSRF attacks. When this option was initially introduced inconsistent defaults were used across various AspNetCore APIs that has lead to confusing results. In 3.0.0-preview4 we've better aligned these defaults and made the feature opt-in on a per-component basis.

Version introduced

3.0

Old behavior

APIs defaulted to SameSiteMode.Lax.

New behavior

APIs default to SameSiteMode.None.

Reason for change

To make SameSite an opt-in feature.

Recommended action

Each component that emits cookies need to decide if SameSite is appropriate for their scenarios. Review your usage of the affected APIs and reconfigure SameSite as needed.

Category

ASP.NET

Affected APIs

Issue metadata

  • Issue type: breaking-change
@Tratcher Tratcher added this to the 3.0.0-preview4 milestone Mar 5, 2019
@aspnet aspnet locked as resolved and limited conversation to collaborators Mar 5, 2019
@analogrelay analogrelay added the 3.0.0 Announcements related to ASP.NET Core 3.0 label Nov 20, 2019
@scottaddie scottaddie added the Documented The breaking change has been published to the .NET Core docs label Dec 17, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
3.0.0 Announcements related to ASP.NET Core 3.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs
Projects
None yet
Milestone
3.0.0-preview4
Development

No branches or pull requests
3 participants
@analogrelay @Tratcher @scottaddie