Add detection of SameSite=None browser feature.

7387ecb5 · Jonathan Huot · Dridi Boukelmoune · 2bcd5482 · 7387ecb5 · 7387ecb5
Commit 7387ecb5 authored Apr 22, 2020 by Jonathan Huot Committed by Dridi Boukelmoune Aug 05, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 106 additions and 0 deletions

samesite.vcl samesite.vcl +37 -0

10-samesite.vtc tests/10-samesite.vtc +69 -0

No files found.
--- a/samesite.vcl
+++ b/samesite.vcl
+sub samesite {
+        # See list here:
+        # https://www.chromium.org/updates/same-site/incompatible-clients
+	unset req.http.X-UA-SameSiteNone;
+	set req.http.X-UA-SameSiteNone = "supported";
+
+        # Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends). These Chrome versions will reject a cookie with `SameSite=None`
+        if (req.http.user-agent ~ "Chrom(e|ium)" &&
+        (req.http.user-agent ~ "Chrom[^ \/]+\/5[1-9][\.\d]*" ||
+        req.http.user-agent ~ "Chrom[^ \/]+\/6[0-6][\.\d]*")) {
+                set req.http.X-UA-SameSiteNone = "unsupported";
+    }
+
+    # Versions of UC Browser on Android prior to version 12.13.2. Older versions will reject a cookie with `SameSite=None`
+    if (req.http.user-agent ~ "UCBrowser\/" && (req.http.user-agent ~ "UCBrowser\/[0-9]\.\d+\.\d+[\.\d]*" || req.http.user-agent ~ "UCBrowser\/1[0-1]\.\d+\.\d+[\.\d]*" ||
+        req.http.user-agent ~ "UCBrowser\/12\.[0-9]\.\d+[\.\d]*" || req.http.user-agent ~ "UCBrowser\/12\.1[0-2]\.\d+[\.\d]*" || req.http.user-agent ~ "UCBrowser\/12\.13\.[0-1][\.\d]*")) {
+        set req.http.X-UA-SameSiteNone = "unsupported";
+    }
+
+    #######################
+    # hasWebKitSameSiteBug:
+    #
+    # all browsers on iOS 12
+    if (req.http.user-agent ~ "\(iP.+; CPU .*OS 12[_\d]*.*\) AppleWebKit\/") {
+        set req.http.X-UA-SameSiteNone = "unsupported";
+    }
+    # Safari & embedded browsers on MacOS 10.14
+    if (req.http.user-agent ~ "\(Macintosh;.*Mac OS X 10_14[_\d]*.*\) AppleWebKit\/") {
+        # isSafari
+        # ||
+        # isMacEmbeddedBrowser
+        if ((req.http.user-agent ~ "Version\/.* Safari\/" && req.http.user-agent !~ "Chrom(e|ium)") ||
+            (req.http.user-agent ~ "^Mozilla\/[\.\d]+ \(Macintosh;.*Mac OS X [_\d]+\) AppleWebKit\/[\.\d]+ \(KHTML, like Gecko\)$")) {
+            set req.http.X-UA-SameSiteNone = "unsupported";
+        }
+    }
+}
--- a/tests/10-samesite.vtc
+++ b/tests/10-samesite.vtc
+varnishtest "Basic functionality of same-site feature detection"
+
+server s1 -repeat 2 {
+       rxreq
+       txresp -hdr "Set-Cookie: FirstPartyCookie=foobar"
+
+       rxreq
+       txresp -hdr "Set-Cookie: ThirdPartyCookie=foobar"
+
+       rxreq
+       txresp -hdr "Set-Cookie: ThirdPartyCookie=foobar;Path=/;Secure"
+
+       rxreq
+       txresp -hdr "Set-Cookie: ThirdPartyCookie=foobar;SameSite=lax"
+} -start
+
+varnish v1 -vcl+backend {
+        include "${projectdir}/samesite.vcl";
+        sub vcl_deliver {
+        	call samesite;
+                
+                if (resp.http.set-cookie &&
+                resp.http.set-cookie ~ "ThirdPartyCookie=" &&
+                resp.http.set-cookie !~ "SameSite" ) {
+
+                        if (req.http.X-UA-SameSiteNone == "supported") {
+                                set resp.http.Set-Cookie = resp.http.set-cookie + ";SameSite=None";
+                        }
+	        }
+        }
+} -start
+
+# test with browser which does not support SameSite=None
+client c1 {
+        txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3904.130"
+	rxresp
+	expect resp.http.Set-Cookie == "FirstPartyCookie=foobar"
+
+        txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3904.130"
+	rxresp
+	expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar"
+
+        txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3904.130"
+	rxresp
+	expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;Path=/;Secure"
+
+        txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3904.130"
+	rxresp
+	expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;SameSite=lax"
+} -run
+
+# test with browser which support SameSite=None
+client c1 {
+        txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.3904.130"
+	rxresp
+	expect resp.http.Set-Cookie == "FirstPartyCookie=foobar"
+
+        txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.3904.130"
+	rxresp
+	expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;SameSite=None"
+
+        txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.3904.130"
+	rxresp
+	expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;Path=/;Secure;SameSite=None"
+
+        txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.3904.130"
+	rxresp
+	expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;SameSite=lax"
+} -run