Update SameSite doc (dotnet#17050)

* Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc * Update SameSite doc
m-soltani · Feb 19, 2020 · 94808ea · 94808ea
1 parent fdb7fdf
commit 94808ea
Show file tree

Hide file tree

Showing 8 changed files with 656 additions and 6 deletions.
diff --git a/aspnetcore/security/samesite.md b/aspnetcore/security/samesite.md
@@ -11,17 +11,65 @@ uid: security/samesite
 
 By [Rick Anderson](https://twitter.com/RickAndMSFT)
 
-[SameSite](https://tools.ietf.org/html/draft-west-first-party-cookies-07) is an [IETF](https://ietf.org/about/) draft designed to provide some protection against cross-site request forgery (CSRF) attacks. The [SameSite 2019 draft](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00):
+SameSite is an [IETF](https://ietf.org/about/) draft standard designed to provide some protection against cross-site request forgery (CSRF) attacks. Originally drafted in [2016](https://tools.ietf.org/html/draft-west-first-party-cookies-07), the draft standard was updated in [2019](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). The updated standard is not backward compatible with the previous standard, with the following being the most noticeable differences:
 
-* Treats cookies as `SameSite=Lax` by default.
-* States cookies that explicitly assert `SameSite=None` in order to enable cross-site delivery should be marked as `Secure`.
+* Cookies without SameSite header are treated as `SameSite=Lax` by default.
+* `SameSite=None` must be used to allow cross-site cookie use.
+* Cookies that assert `SameSite=None` must also be marked as `Secure`.
+* Applications that use [`<iframe>`](https://developer.mozilla.org/docs/Web/HTML/Element/iframe) may experience issues with `sameSite=Lax` or `sameSite=Strict` cookies because `<iframe>` is treated as cross-site scenarios.
+* The value `SameSite=None` is not allowed by the [2016 standard](https://tools.ietf.org/html/draft-west-first-party-cookies-07) and causes some implementations to treat such cookies as `SameSite=Strict`. See [Supporting older browsers](#sob) in this document.
 
-`Lax` works for most app cookies. Some forms of authentication like [OpenID Connect](https://openid.net/connect/) (OIDC) and [WS-Federation](https://auth0.com/docs/protocols/ws-fed) default to POST based redirects. The POST based redirects trigger the SameSite browser protections, so SameSite is disabled for these components. Most [OAuth](https://oauth.net/) logins are not affected due to differences in how the request flows.
-
-The `None` parameter causes compatibility problems with clients that implemented the prior 2016 draft standard (for example, iOS 12). See [Supporting older browsers](#sob) in this document.
+The `SameSite=Lax` setting works for most application cookies. Some forms of authentication like [OpenID Connect](https://openid.net/connect/) (OIDC) and [WS-Federation](https://auth0.com/docs/protocols/ws-fed) default to POST based redirects. The POST based redirects trigger the SameSite browser protections, so SameSite is disabled for these components. Most [OAuth](https://oauth.net/) logins are not affected due to differences in how the request flows.
 
 Each ASP.NET Core component that emits cookies needs to decide if SameSite is appropriate.
 
+## SameSite test sample code
+
+ ::: moniker range=">= aspnetcore-2.1 < aspnetcore-3.0"
+
+The following samples can be downloaded and tested:
+
+| Sample               | Document |
+| ----------------- | ------------ |
+| [.NET Core MVC](https://github.com/blowdart/AspNetSameSiteSamples/tree/master/AspNetCore21MVC)  | <xref:security/samesite/mvc21> |
+| [.NET Core Razor Pages](https://github.com/blowdart/AspNetSameSiteSamples/tree/master/AspNetCore21RazorPages)  | <xref:security/samesite/rp21> |
+
+::: moniker-end
+
+::: moniker range=">= aspnetcore-3.0"
+
+The following sample can be downloaded and tested:
+
+
+| Sample               | Document |
+| ----------------- | ------------ |
+| [.NET Core Razor Pages](https://github.com/blowdart/AspNetSameSiteSamples/tree/master/AspNetCore31RazorPages)  | <xref:security/samesite/rp31> |
+
+::: moniker-end
+
+::: moniker range=">= aspnetcore-2.2"
+
+## .NET Core support for the sameSite attribute
+
+.NET Core 2.2 supports the 2019 draft standard for SameSite since the release of updates in December 2019. Developers are able to programmatically control the value of the sameSite attribute using the `HttpCookie.SameSite` property. Setting the `SameSite` property to Strict, Lax, or None results in those values being written on the network with the cookie. Setting it equal to (SameSiteMode)(-1) indicates that no sameSite attribute should be included on the network with the cookie
+
+[!code-csharp[](samesite/snippets/Privacy.cshtml.cs?name=snippet)]
+
+.NET Core 3.0 supports the updated SameSite values and adds an extra enum value, `SameSiteMode.Unspecified` to the `SameSiteMode` enum.
+This new value indicates no sameSite should be sent with the cookie.
+
+::: moniker-end
+
+::: moniker range="= aspnetcore-2.1"
+
+## December patch behavior changes
+
+The specific behavior change for .NET Framework and .NET Core 2.1 is how the `SameSite` property interprets the `None` value. Before the patch a value of `None` meant "Do not emit the attribute at all", after the patch it means "Emit the attribute with a value of `None`". After the patch a `SameSite` value of `(SameSiteMode)(-1)` causes the attribute not to be emitted.
+
+The default SameSite value for forms authentication and session state cookies was changed from `None` to `Lax`.
+
+::: moniker-end
+
 ## API usage with SameSite
 
 [HttpContext.Response.Cookies.Append](xref:Microsoft.AspNetCore.Http.IResponseCookies.Append*) defaults to `Unspecified`, meaning no SameSite attribute added to the cookie and the client will use its default behavior (Lax for new browsers, None for old ones). The following code shows how to change the cookie SameSite value to `SameSiteMode.Lax`:
@@ -163,3 +211,22 @@ Versions of Electron include older versions of Chromium. For example, the versio
 * [Chromium Blog:Developers: Get Ready for New SameSite=None; Secure Cookie Settings](https://blog.chromium.org/2019/10/developers-get-ready-for-new.html)
 * [SameSite cookies explained](https://web.dev/samesite-cookies-explained/)
 * [November 2019 Patches](https://devblogs.microsoft.com/dotnet/net-core-November-2019/)
+
+ ::: moniker range=">= aspnetcore-2.1 < aspnetcore-3.0"
+
+| Sample               | Document |
+| ----------------- | ------------ |
+| [.NET Core MVC](https://github.com/blowdart/AspNetSameSiteSamples/tree/master/AspNetCore21MVC)  | <xref:security/samesite/mvc21> |
+| [.NET Core Razor Pages](https://github.com/blowdart/AspNetSameSiteSamples/tree/master/AspNetCore21RazorPages)  | <xref:security/samesite/rp21> |
+
+::: moniker-end
+
+ ::: moniker range=">= aspnetcore-3.0"
+
+| Sample               | Document |
+| ----------------- | ------------ |
+| [.NET Core Razor Pages](https://github.com/blowdart/AspNetSameSiteSamples/tree/master/AspNetCore31RazorPages)  | <xref:security/samesite/rp31> |
+
+::: moniker-end
+
+::: moniker range=">= aspnetcore-2.2"
diff --git a/aspnetcore/security/samesite/BrowserDebugger.png b/aspnetcore/security/samesite/BrowserDebugger.png
diff --git a/aspnetcore/security/samesite/mvc21.md b/aspnetcore/security/samesite/mvc21.md
@@ -0,0 +1,160 @@
+---
+title: ASP.NET Core 2.1 MVC SameSite cookie sample
+author: rick-anderson
+description: ASP.NET Core 2.1 MVC SameSite cookie sample
+monikerRange: '>= aspnetcore-2.1 < aspnetcore-3.0'
+ms.author: riande
+ms.custom: mvc
+ms.date: 12/03/2019
+uid: security/samesite/mvc21
+---
+
+# ASP.NET Core 2.1 MVC SameSite cookie sample
+
+ASP.NET Core 2.1 has built-in support for the [SameSite](https://www.owasp.org/index.php/SameSite) attribute, but it was written to the original standard. The [patched behavior](https://github.com/dotnet/aspnetcore/issues/8212) changed the meaning of `SameSite.None` to emit the sameSite attribute with a value of `None`, rather than not emit the value at all. If you want to not emit the value you can set the `SameSite` property on a cookie to -1.
+
+## <a name="sampleCode"></a>Writing the SameSite attribute
+
+Following is an example of how to write a SameSite attribute on a cookie:
+
+```c#
+var cookieOptions = new CookieOptions
+{
+    // Set the secure flag, which Chrome's changes will require for SameSite none.
+    // Note this will also require you to be running on HTTPS
+    Secure = true,
+
+    // Set the cookie to HTTP only which is good practice unless you really do need
+    // to access it client side in scripts.
+    HttpOnly = true,
+
+    // Add the SameSite attribute, this will emit the attribute with a value of none.
+    // To not emit the attribute at all set the SameSite property to (SameSiteMode)(-1).
+    SameSite = SameSiteMode.None
+};
+
+// Add the cookie to the response cookie collection
+Response.Cookies.Append(CookieName, "cookieValue", cookieOptions);
+```
+
+## Setting Cookie Authentication and Session State cookies
+
+Cookie authentication, session state and [various other components](https://docs.microsoft.com/aspnet/core/security/samesite?view=aspnetcore-2.1) set their sameSite options via Cookie options, for example
+
+```c#
+services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+    .AddCookie(options =>
+    {
+        options.Cookie.SameSite = SameSiteMode.None;
+        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+        options.Cookie.IsEssential = true;
+    });
+
+services.AddSession(options =>
+{
+    options.Cookie.SameSite = SameSiteMode.None;
+    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+    options.Cookie.IsEssential = true;
+});
+```
+
+In the preceding code, both cookie authentication and session state set their sameSite attribute to `None`, emitting the attribute with a `None` value, and also set the Secure attribute to true.
+
+### Run the sample
+
+If you run the [sample project](https://github.com/blowdart/AspNetSameSiteSamples/tree/master/AspNetCore21MVC), load your browser debugger on the initial page and use it to view the cookie collection for the site. To do so in Edge and Chrome press `F12` then select the `Application` tab and click the site URL under the `Cookies` option in the `Storage` section.
+
+![Browser Debugger Cookie List](BrowserDebugger.png)
+
+You can see from the image above that the cookie created by the sample when you click the "Create SameSite Cookie" button has a SameSite attribute value of `Lax`, matching the value set in the [sample code](#sampleCode).
+
+## <a name="interception"></a>Intercepting cookies
+
+In order to intercept cookies, to adjust the none value according to its support in the user's browser agent you must use the `CookiePolicy` middleware. This must be placed into the http request pipeline **before** any components that write cookies and configured within `ConfigureServices()`.
+
+To insert it into the pipeline use `app.UseCookiePolicy()` in the `Configure(IApplicationBuilder, IHostingEnvironment)` method in [Startup.cs](https://github.com/blowdart/AspNetSameSiteSamples/blob/master/AspNetCore21MVC/Startup.cs). For example:
+
+```c#
+public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+{
+    if (env.IsDevelopment())
+    {
+       app.UseDeveloperExceptionPage();
+    }
+    else
+    {
+        app.UseExceptionHandler("/Home/Error");
+        app.UseHsts();
+    }
+
+    app.UseHttpsRedirection();
+    app.UseStaticFiles();
+    app.UseCookiePolicy();
+    app.UseAuthentication();
+    app.UseSession();
+
+    app.UseMvc(routes =>
+    {
+        routes.MapRoute(
+            name: "default",
+            template: "{controller=Home}/{action=Index}/{id?}");
+    });
+}
+```
+
+Then in the `ConfigureServices(IServiceCollection services)` configure the cookie policy to call out to a helper class when cookies are appended or deleted. For example:
+
+```c#
+public void ConfigureServices(IServiceCollection services)
+{
+    services.Configure<CookiePolicyOptions>(options =>
+    {
+        options.CheckConsentNeeded = context => true;
+        options.MinimumSameSitePolicy = SameSiteMode.None;
+        options.OnAppendCookie = cookieContext =>
+            CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
+        options.OnDeleteCookie = cookieContext =>
+            CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
+    });
+}
+
+private void CheckSameSite(HttpContext httpContext, CookieOptions options)
+{
+    if (options.SameSite == SameSiteMode.None)
+    {
+        var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
+        if (SameSite.BrowserDetection.DisallowsSameSiteNone(userAgent))
+        {
+            options.SameSite = (SameSiteMode)(-1);
+        }
+    }
+}
+```
+
+The helper function `CheckSameSite(HttpContext, CookieOptions)`:
+
+* Is called when cookies are appended to the request or deleted from the request.
+* Checks to see if the `SameSite` property is set to `None`.
+* If `SameSite` is set to `None` and the current user agent is known to not support the
+none attribute value. The check is done using the [SameSiteSupport](https://github.com/aspnet/AspNetCore.Docs/tree/master/aspnetcore/security/samesite/sample/snippets/SameSiteSupport.cs) class:
+  * Sets `SameSite` to not emit the value by setting the property to `(SameSiteMode)(-1)`
+
+## Targeting .NET Framework
+
+ASP.NET Core and System.Web (ASP.NET Classic) have independent implementations of SameSite. The SameSite KB patches for .NET Framework are not required if using ASP.NET Core nor does the System.Web SameSite minimum framework version requirement (.NET 4.7.2) apply to ASP.NET Core.
+
+ASP.NET Core on .NET requires updating nuget package dependencies to get the appropriate fixes.
+
+To get the ASP.NET Core changes for .NET Framework ensure that you have a direct reference to the patched packages and 
+versions (2.1.14 or later 2.1 versions).
+
+```xml
+<PackageReference Include="Microsoft.Net.Http.Headers" Version="2.1.14" />
+<PackageReference Include="Microsoft.AspNetCore.CookiePolicy" Version="2.1.14" />
+```
+
+### More Information
+
+[Chrome Updates](https://www.chromium.org/updates/same-site)
+[ASP.NET Core SameSite Documentation](https://docs.microsoft.com/aspnet/core/security/samesite?view=aspnetcore-2.1)
+[ASP.NET Core 2.1 SameSite Change Announcement](https://github.com/dotnet/aspnetcore/issues/8212)