HandleSameSiteCookieCompatibility first idea

Tiago Brenck · Tiago Brenck · commit 08b13c0787a2 · 2020-01-15T17:59:51.000-08:00
diff --git a/1-WebApp-OIDC/1-1-MyOrg/Startup.cs b/1-WebApp-OIDC/1-1-MyOrg/Startup.cs
@@ -26,7 +26,8 @@ public void ConfigureServices(IServiceCollection services)
             {
                 // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                 options.CheckConsentNeeded = context => true;
-                options.MinimumSameSitePolicy = SameSiteMode.None;
+                options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
+                options.HandleSameSiteCookieCompatibility();
             });
 
             // Sign-in users with the Microsoft identity platform
diff --git a/Microsoft.Identity.Web/WebAppServiceCollectionExtensions.cs b/Microsoft.Identity.Web/WebAppServiceCollectionExtensions.cs
@@ -4,12 +4,15 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.AzureAD.UI;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Web.Resource;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using System;
 using System.Collections.Generic;
 using System.Threading.Tasks;
 
@@ -100,6 +103,7 @@ public static IServiceCollection AddMicrosoftIdentityPlatformAuthentication(
                     OpenIdConnectMiddlewareDiagnostics.Subscribe(options.Events);
                 }
             });
+
             return services;
         }
 
@@ -158,5 +162,70 @@ public static IServiceCollection AddMsal(this IServiceCollection services, IConf
             });
             return services;
         }
+
+        public static CookiePolicyOptions HandleSameSiteCookieCompatibility(this CookiePolicyOptions options)
+        {
+            return HandleSameSiteCookieCompatibility(options, DisallowsSameSiteNone);
+        }
+
+        public static CookiePolicyOptions HandleSameSiteCookieCompatibility(this CookiePolicyOptions options, Func<string, bool> disallowsSameSiteNone)
+        {
+            options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
+            options.OnAppendCookie = cookieContext =>
+                CheckSameSite(cookieContext.Context, cookieContext.CookieOptions, disallowsSameSiteNone);
+            options.OnDeleteCookie = cookieContext =>
+                CheckSameSite(cookieContext.Context, cookieContext.CookieOptions, disallowsSameSiteNone);
+            return options;
+        }
+
+        private static void CheckSameSite(HttpContext httpContext, CookieOptions options, Func<string, bool> disallowsSameSiteNone)
+        {
+            if (options.SameSite == SameSiteMode.None)
+            {
+                var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
+                if (disallowsSameSiteNone(userAgent))
+                {
+                    options.SameSite = SameSiteMode.Unspecified;
+                }
+            }
+        }
+
+        public static bool DisallowsSameSiteNone(string userAgent)
+        {
+            // Cover all iOS based browsers here. This includes:
+            // - Safari on iOS 12 for iPhone, iPod Touch, iPad
+            // - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
+            // - Chrome on iOS 12 for iPhone, iPod Touch, iPad
+            // All of which are broken by SameSite=None, because they use the iOS networking
+            // stack.
+            if (userAgent.Contains("CPU iPhone OS 12") ||
+                userAgent.Contains("iPad; CPU OS 12"))
+            {
+                return true;
+            }
+
+            // Cover Mac OS X based browsers that use the Mac OS networking stack. 
+            // This includes:
+            // - Safari on Mac OS X.
+            // This does not include:
+            // - Chrome on Mac OS X
+            // Because they do not use the Mac OS networking stack.
+            if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
+                userAgent.Contains("Version/") && userAgent.Contains("Safari"))
+            {
+                return true;
+            }
+
+            // Cover Chrome 50-69, because some versions are broken by SameSite=None, 
+            // and none in this range require it.
+            // Note: this covers some pre-Chromium Edge versions, 
+            // but pre-Chromium Edge does not require SameSite=None.
+            if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
+            {
+                return true;
+            }
+
+            return false;
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,8 @@ public void ConfigureServices(IServiceCollection services)`
`26`	`26`	`{`
`27`	`27`	`// This lambda determines whether user consent for non-essential cookies is needed for a given request.`
`28`	`28`	`options.CheckConsentNeeded = context => true;`
`29`		`- options.MinimumSameSitePolicy = SameSiteMode.None;`
	`29`	`+ options.MinimumSameSitePolicy = SameSiteMode.Unspecified;`
	`30`	`+ options.HandleSameSiteCookieCompatibility();`
`30`	`31`	`});`
`31`	`32`
`32`	`33`	`// Sign-in users with the Microsoft identity platform`