Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some Cookie SameSite defaults changed to None #348

Open
Tratcher opened this Issue Mar 5, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@Tratcher
Copy link
Member

Tratcher commented Mar 5, 2019

SameSite is an option for cookies that can help mitigate some XSS attacks. Each component that emits cookies need to decide if SameSite is appropriate for their scenarios. When this option was initially introduced inconsistent defaults were used across various AspNetCore APIs that has lead to confusing results. In 3.0.0-preview4 we've better aligned these defaults and made the feature opt-in on a per-component basis.

Affected APIs:

  • CookieOptions used with HttpResponse.Cookies.Append has changed its default from SameSiteMode.Lax to SameSiteMode.None.
  • CookieBuilder used as a factory for CookieOptions has changed its default from SameSiteMode.Lax to SameSiteMode.None.
  • CookiePolicyOptions.MinimumSameSitePolicy has changed its default from SameSiteMode.Lax to SameSiteMode.None.

Note all AspNetCore components that emit cookies override these defaults with settings appropriate for their scenarios and these values have not changed:

  • Session: Lax
  • CookieTempDataProvider: Lax
  • Antiforgery: Strict
  • CookieAuthentication: Lax
  • TwitterAuthentication state cookie: Lax
  • RemoteAuthentication correlation cookie (OAuth): None
  • OpenIdConnect nonce cookie: None

See aspnet/AspNetCore#8212 for discussion

@Tratcher Tratcher added this to the 3.0.0-preview4 milestone Mar 5, 2019

@aspnet aspnet locked as resolved and limited conversation to collaborators Mar 5, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.