Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-devicedetect
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-devicedetect
Commits
7387ecb5
Commit
7387ecb5
authored
Apr 22, 2020
by
Jonathan Huot
Committed by
Dridi Boukelmoune
Aug 05, 2020
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add detection of SameSite=None browser feature.
parent
2bcd5482
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
106 additions
and
0 deletions
+106
-0
samesite.vcl
samesite.vcl
+37
-0
10-samesite.vtc
tests/10-samesite.vtc
+69
-0
No files found.
samesite.vcl
0 → 100644
View file @
7387ecb5
sub samesite {
# See list here:
# https://www.chromium.org/updates/same-site/incompatible-clients
unset req.http.X-UA-SameSiteNone;
set req.http.X-UA-SameSiteNone = "supported";
# Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends). These Chrome versions will reject a cookie with `SameSite=None`
if (req.http.user-agent ~ "Chrom(e|ium)" &&
(req.http.user-agent ~ "Chrom[^ \/]+\/5[1-9][\.\d]*" ||
req.http.user-agent ~ "Chrom[^ \/]+\/6[0-6][\.\d]*")) {
set req.http.X-UA-SameSiteNone = "unsupported";
}
# Versions of UC Browser on Android prior to version 12.13.2. Older versions will reject a cookie with `SameSite=None`
if (req.http.user-agent ~ "UCBrowser\/" && (req.http.user-agent ~ "UCBrowser\/[0-9]\.\d+\.\d+[\.\d]*" || req.http.user-agent ~ "UCBrowser\/1[0-1]\.\d+\.\d+[\.\d]*" ||
req.http.user-agent ~ "UCBrowser\/12\.[0-9]\.\d+[\.\d]*" || req.http.user-agent ~ "UCBrowser\/12\.1[0-2]\.\d+[\.\d]*" || req.http.user-agent ~ "UCBrowser\/12\.13\.[0-1][\.\d]*")) {
set req.http.X-UA-SameSiteNone = "unsupported";
}
#######################
# hasWebKitSameSiteBug:
#
# all browsers on iOS 12
if (req.http.user-agent ~ "\(iP.+; CPU .*OS 12[_\d]*.*\) AppleWebKit\/") {
set req.http.X-UA-SameSiteNone = "unsupported";
}
# Safari & embedded browsers on MacOS 10.14
if (req.http.user-agent ~ "\(Macintosh;.*Mac OS X 10_14[_\d]*.*\) AppleWebKit\/") {
# isSafari
# ||
# isMacEmbeddedBrowser
if ((req.http.user-agent ~ "Version\/.* Safari\/" && req.http.user-agent !~ "Chrom(e|ium)") ||
(req.http.user-agent ~ "^Mozilla\/[\.\d]+ \(Macintosh;.*Mac OS X [_\d]+\) AppleWebKit\/[\.\d]+ \(KHTML, like Gecko\)$")) {
set req.http.X-UA-SameSiteNone = "unsupported";
}
}
}
tests/10-samesite.vtc
0 → 100644
View file @
7387ecb5
varnishtest "Basic functionality of same-site feature detection"
server s1 -repeat 2 {
rxreq
txresp -hdr "Set-Cookie: FirstPartyCookie=foobar"
rxreq
txresp -hdr "Set-Cookie: ThirdPartyCookie=foobar"
rxreq
txresp -hdr "Set-Cookie: ThirdPartyCookie=foobar;Path=/;Secure"
rxreq
txresp -hdr "Set-Cookie: ThirdPartyCookie=foobar;SameSite=lax"
} -start
varnish v1 -vcl+backend {
include "${projectdir}/samesite.vcl";
sub vcl_deliver {
call samesite;
if (resp.http.set-cookie &&
resp.http.set-cookie ~ "ThirdPartyCookie=" &&
resp.http.set-cookie !~ "SameSite" ) {
if (req.http.X-UA-SameSiteNone == "supported") {
set resp.http.Set-Cookie = resp.http.set-cookie + ";SameSite=None";
}
}
}
} -start
# test with browser which does not support SameSite=None
client c1 {
txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3904.130"
rxresp
expect resp.http.Set-Cookie == "FirstPartyCookie=foobar"
txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3904.130"
rxresp
expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar"
txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3904.130"
rxresp
expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;Path=/;Secure"
txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3904.130"
rxresp
expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;SameSite=lax"
} -run
# test with browser which support SameSite=None
client c1 {
txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.3904.130"
rxresp
expect resp.http.Set-Cookie == "FirstPartyCookie=foobar"
txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.3904.130"
rxresp
expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;SameSite=None"
txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.3904.130"
rxresp
expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;Path=/;Secure;SameSite=None"
txreq -hdr "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.3904.130"
rxresp
expect resp.http.Set-Cookie == "ThirdPartyCookie=foobar;SameSite=lax"
} -run
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment