Skip to content

Add support for Cookie SameSite attribute#641

Merged
schloerke merged 5 commits intorstudio:masterfrom
chris-dudley:feature/add-cookie-same-site-flag
Aug 12, 2020
Merged

Add support for Cookie SameSite attribute#641
schloerke merged 5 commits intorstudio:masterfrom
chris-dudley:feature/add-cookie-same-site-flag

Conversation

@chris-dudley
Copy link
Copy Markdown
Contributor

@chris-dudley chris-dudley commented Aug 10, 2020

Adds an optional sameSite attribute to the following functions:

  • sessionCookie()
  • pr_cookie()
  • res$setCookie()
  • res$removeCookie()
  • removeCookieStr
  • cookieToStr

If set to a character value <value>, the generated cookie will contain a SameSite=<value> attribute.

Fixes #640

Allows the SameSite attribute to be set on cookies. This is especially important for Cross-Origin requests, as in the near future browsers will automatically default to the "SameSite=Lax" policy for cookies without an explicit policy set. This will prevent cookies from being sent on Cross-Origin requests unless the policy is set to "None".

See:

Christopher Dudley added 2 commits August 10, 2020 12:53
Add optional sameSite flag to cookies
90a1e85 
Allows the SameSite attribute to be set on cookies.
This is especially important for Cross-Origin requests,
as in the near future browsers will automatically default
to the "SameSite=Lax" policy for cookies without an
explicit policy set. This will prevent cookies from being
sent on Cross-Origin requests unless the policy is set to
"None".

See:
https://www.chromestatus.com/feature/5088147346030592
https://www.chromestatus.com/feature/5633521622188032
Add missing SameSite changes.
9c203b8 
Adds `sameSite` parameter to `pr_cookie()`.
Adds additional tests.
Adds entry to NEWS.md.
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Aug 10, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

schloerke
schloerke requested changes Aug 11, 2020
View reviewed changes
Comment thread R/session-cookie.R
@schloerke schloerke requested a review from jcheng5 August 11, 2020 17:11
Add sanity checking for cookie sameSite flag
68c4b30 
The sessionCookie() function now checks that the value of
sameSite is one of the 3 allowed values.

If sameSite is set to None and secure is FALSE, an error
will be emitted.
schloerke
schloerke reviewed Aug 11, 2020
View reviewed changes
Comment thread R/session-cookie.R
schloerke
schloerke reviewed Aug 11, 2020
View reviewed changes
Comment thread R/session-cookie.R Outdated
@schloerke
Copy link
Copy Markdown
Collaborator

schloerke commented Aug 11, 2020

Thank you @chris-dudley ! Once I get @jcheng5's approval, I'll merge. 😄

jcheng5
jcheng5 approved these changes Aug 12, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@jcheng5 jcheng5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution @chris-dudley!

schloerke
schloerke reviewed Aug 12, 2020
View reviewed changes
Comment thread NEWS.md Outdated
@schloerke schloerke merged commit 931f078 into rstudio:master Aug 12, 2020
schloerke added a commit that referenced this pull request Aug 12, 2020
@schloerke
Merge branch 'master' into all_params_are_arrays
f973d81 
* master:
  Fix legacy Dockerfile example argument (#648)
  Remove `plumber.debug` option (#639)
  Added longer gpg key 51716619E084DAB9 to avoid collisions (#645)
  Added trimws so that ^analogsea regex works in checkAnalogSea (#643)
  Add support for Cookie SameSite attribute (#641)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schloerke schloerke schloerke approved these changes

@jcheng5 jcheng5 jcheng5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for SameSite Cookie attribute

4 participants

@chris-dudley @CLAassistant @schloerke @jcheng5