Skip to content

fixing missing ; also removing extra Secure if set in cookie already #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fixing missing ; also removing extra Secure if set in cookie already #4

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions security/http/cookies/samesite-attributes-pre-v12.tcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,10 @@ when CLIENT_ACCEPTED priority 100 {

# Regex to match samesite=none optionally followed by a semi-colon, space, comma and an option space
set regex_samesite_none {samesite=none[\; ,]? ?}

# Regex to match samesite=none optionally followed by a semi-colon, space, comma and an option space
set regex_samesite_none_secure {samesite=none[\; ,]secure[\; ,]}


# Regex to match samesite=VALUE optionally followed by a semi-colon, space, comma and an option space
set regex_samesite_any {samesite=(none|strict|lax)[\; ,]? ?}
Expand Down Expand Up @@ -196,16 +200,27 @@ when HTTP_RESPONSE_RELEASE priority 900 {

foreach set_cookie $set_cookie_headers {

# Remove any prior instances of SameSite=None;Secure attribute and value from this Set-Cookie header
if {[string match -nocase {*samesite=none[\; ,]*secure[\; ,]*} $set_cookie]}{

set set_cookie [regsub -nocase -all $regex_samesite_none_secure $set_cookie "" ]

if { $samesite_debug }{ log local0. "$prefix Found samesite=none; Secure; and removed it: $set_cookie"}
}

# Remove any prior instances of SameSite attribute and value from this Set-Cookie header
if {[string match -nocase {*samesite=none*} $set_cookie]}{
set set_cookie [regsub -nocase -all $regex_samesite_any $set_cookie ""]

set set_cookie [regsub -nocase -all $regex_samesite_any $set_cookie "" ]

if { $samesite_debug }{ log local0. "$prefix Found samesite=none and removed it: $set_cookie"}
}

# Insert the current Set-Cookie header with SameSite attribute appended
if {[string equal -nocase $samesite_security "none"]}{
# Might want to check if Secure is already set in this header?
HTTP::header insert {Set-Cookie} "$set_cookie SameSite=None; Secure;"
if { $samesite_debug }{ log local0. "$prefix Adding Set-Cookie: $set_cookie SameSite=None; Secure;" }
# Might want to check if Secure is already set in this header? - We do up above now.
HTTP::header insert {Set-Cookie} "$set_cookie; SameSite=None; Secure;"
if { $samesite_debug }{ log local0. "$prefix Adding Set-Cookie: $set_cookie SameSite=None; Secure" }
} else {
HTTP::header insert {Set-Cookie} "$set_cookie; SameSite=$samesite_security;"
if { $samesite_debug }{ log local0. "$prefix Adding Set-Cookie: $set_cookie SameSite=$samesite_security;" }
Expand Down