From 7707c24e2e89aadddcbb0027093fdf77339387c8 Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Mon, 25 Nov 2019 17:33:28 -0500 Subject: [PATCH 01/11] Update API for SameSitemode On framework systems, the behavior of SameSiteMode.None has changed. This PR documents the new behavior, and links to the KB articles. --- xml/System.Web/SameSiteMode.xml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index f571134a709..c359c5549cd 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -14,7 +14,20 @@ Specifies constants that indicate the value for the SameSite attribute of the cookie. - To be added. + + value now causes ASP.NET to emit a SameSite cookie header to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config. + +Before these updates have been applied, the does not emit the `SameSite` cookie header. + +For more information on this behavior see [KB article 4531182](https://support.microsoft.com/help/4531182/kb4531182) or [KB article 4524421](https://support.microsoft.com/help/4524421/kb4524421). + +On systems where these updates have been applied, you can specify the previous behavior by setting the `SameSiteMode` to `(SameSiteMode)(-1)`. +]]> + @@ -54,7 +67,7 @@ 0 - No mode is specified. + Emits "SameSite=None" (see remarks). From 5b22460be3b8874aff4de1a1e71675f1e697ffef Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Mon, 25 Nov 2019 17:59:33 -0500 Subject: [PATCH 02/11] Update xml/System.Web/SameSiteMode.xml Co-Authored-By: Chris Ross --- xml/System.Web/SameSiteMode.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index c359c5549cd..0f1284b4d37 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -19,7 +19,7 @@ ## Remarks -The value now causes ASP.NET to emit a SameSite cookie header to accommodate upcoming changes to SameSite cookie handling in Chrome. As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config. +The value now causes ASP.NET to emit a SameSite cookie header in compliance with https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 that browsers are in the process of adopting. As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config. Before these updates have been applied, the does not emit the `SameSite` cookie header. From d931a1a745672cffddcb3cc0280a42f7516b1fdd Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Mon, 25 Nov 2019 18:07:52 -0500 Subject: [PATCH 03/11] respond to feedback. --- xml/System.Web/SameSiteMode.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index 0f1284b4d37..c4150a25a83 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -19,11 +19,11 @@ ## Remarks -The value now causes ASP.NET to emit a SameSite cookie header in compliance with https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 that browsers are in the process of adopting. As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config. +The behavior of was modified by updates described in [KB article 4531182](https://support.microsoft.com/help/4531182/kb4531182) and [KB article 4524421](https://support.microsoft.com/help/4524421/kb4524421). -Before these updates have been applied, the does not emit the `SameSite` cookie header. +Without these updates, the value does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). -For more information on this behavior see [KB article 4531182](https://support.microsoft.com/help/4531182/kb4531182) or [KB article 4524421](https://support.microsoft.com/help/4524421/kb4524421). +After these updates have been applied, the value emits the `SameSite=None` cookie header. This new behavior conforms to [update](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config. On systems where these updates have been applied, you can specify the previous behavior by setting the `SameSiteMode` to `(SameSiteMode)(-1)`. ]]> From ef95238f5c7de7161299fece32490639c7511bbc Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Mon, 25 Nov 2019 18:52:24 -0500 Subject: [PATCH 04/11] update per review. --- xml/System.Web/HttpCookie.xml | 14 ++++++++++++-- xml/System.Web/SameSiteMode.xml | 2 +- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/xml/System.Web/HttpCookie.xml b/xml/System.Web/HttpCookie.xml index 8ac009a75a8..cdbc5f2c781 100644 --- a/xml/System.Web/HttpCookie.xml +++ b/xml/System.Web/HttpCookie.xml @@ -404,8 +404,18 @@ The property extends the Gets or sets the value for the SameSite attribute of the cookie. - One of the enumeration values that represents the enforcement mode of the cookie. If the application targets the .NET Framework 4.7.2 or later versions, the default value is ; otherwise, the default value is . - To be added. + One of the enumeration values that represents the enforcement mode of the cookie. The default value is . + format type="text/markdown">, which does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). + +After these updates have been applied, the default value is `-1`, which corresponds to "Unspecified". This preserves the earlier behavior. +]]> + diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index c4150a25a83..0f8df11ca06 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -25,7 +25,7 @@ Without these updates, the value d After these updates have been applied, the value emits the `SameSite=None` cookie header. This new behavior conforms to [update](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config. -On systems where these updates have been applied, you can specify the previous behavior by setting the `SameSiteMode` to `(SameSiteMode)(-1)`. +On systems where these updates have been applied, you can specify the previous behavior by setting the `SameSiteMode` to `(SameSiteMode)(-1)`. You can specify this behavior using the string `Unspecified` in web.config. ]]> From ab8a55bc4b3deb88671df88bbf320ef6cc8f1d9c Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Mon, 25 Nov 2019 20:44:07 -0500 Subject: [PATCH 05/11] Update default description. --- xml/System.Web/HttpCookie.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Web/HttpCookie.xml b/xml/System.Web/HttpCookie.xml index cdbc5f2c781..42ac9f2d682 100644 --- a/xml/System.Web/HttpCookie.xml +++ b/xml/System.Web/HttpCookie.xml @@ -404,7 +404,7 @@ The property extends the Gets or sets the value for the SameSite attribute of the cookie. - One of the enumeration values that represents the enforcement mode of the cookie. The default value is . + One of the enumeration values that represents the enforcement mode of the cookie or `-1` (represented by the string "Unspecified" in config files.) The default value depends on updates. See Remarks for more information on defaults and recent updates. format type="text/markdown"> Date: Mon, 25 Nov 2019 21:10:49 -0500 Subject: [PATCH 06/11] missing an opening bracket. --- xml/System.Web/HttpCookie.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Web/HttpCookie.xml b/xml/System.Web/HttpCookie.xml index 42ac9f2d682..12447d111d9 100644 --- a/xml/System.Web/HttpCookie.xml +++ b/xml/System.Web/HttpCookie.xml @@ -405,7 +405,7 @@ The property extends the Gets or sets the value for the SameSite attribute of the cookie. One of the enumeration values that represents the enforcement mode of the cookie or `-1` (represented by the string "Unspecified" in config files.) The default value depends on updates. See Remarks for more information on defaults and recent updates. - format type="text/markdown"> Date: Tue, 26 Nov 2019 08:59:01 -0500 Subject: [PATCH 07/11] Apply suggestions from code review Co-Authored-By: Scott Addie <10702007+scottaddie@users.noreply.github.com> --- xml/System.Web/HttpCookie.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xml/System.Web/HttpCookie.xml b/xml/System.Web/HttpCookie.xml index 12447d111d9..ebdb5ae1782 100644 --- a/xml/System.Web/HttpCookie.xml +++ b/xml/System.Web/HttpCookie.xml @@ -404,7 +404,7 @@ The property extends the Gets or sets the value for the SameSite attribute of the cookie. - One of the enumeration values that represents the enforcement mode of the cookie or `-1` (represented by the string "Unspecified" in config files.) The default value depends on updates. See Remarks for more information on defaults and recent updates. + One of the enumeration values that represents the enforcement mode of the cookie or `-1` (represented by the string `Unspecified` in config files). The default value depends on updates. For more information on defaults and recent updates, see Remarks. , which does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). -After these updates have been applied, the default value is `-1`, which corresponds to "Unspecified". This preserves the earlier behavior. +After these updates have been applied, the default value is `-1`, which corresponds to `Unspecified`. This preserves the earlier behavior. ]]> From 8408aabf4e47ae2f54aebaba1f80cdf3098af889 Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Tue, 26 Nov 2019 10:29:30 -0500 Subject: [PATCH 08/11] Update xml/System.Web/SameSiteMode.xml Co-Authored-By: Genevieve Warren --- xml/System.Web/SameSiteMode.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index 0f8df11ca06..de29ddd1ad3 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -23,7 +23,7 @@ The behavior of was modified by up Without these updates, the value does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). -After these updates have been applied, the value emits the `SameSite=None` cookie header. This new behavior conforms to [update](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = 'Lax' instead of the previous default of 'None', though these values can be overridden in web.config. +After these updates have been applied, the value emits the `SameSite=None` cookie header. This new behavior conforms to [update](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = `Lax` instead of the previous default of `None`, though these values can be overridden in web.config. On systems where these updates have been applied, you can specify the previous behavior by setting the `SameSiteMode` to `(SameSiteMode)(-1)`. You can specify this behavior using the string `Unspecified` in web.config. ]]> From e7dd242b3d2868ff378cc60c7c6918b0d5978441 Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Tue, 26 Nov 2019 11:34:19 -0500 Subject: [PATCH 09/11] Update xml/System.Web/SameSiteMode.xml Co-Authored-By: Chris Ross --- xml/System.Web/SameSiteMode.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index de29ddd1ad3..f4680718d88 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -67,7 +67,7 @@ On systems where these updates have been applied, you can specify the previous b 0 - Emits "SameSite=None" (see remarks). + The cookie will be sent with all requests (see remarks). From 7d2124cd26d0452f1d59e50b8c4bd1aee47daa12 Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Tue, 26 Nov 2019 11:53:44 -0500 Subject: [PATCH 10/11] respond to feedback. --- xml/System.Web/HttpCookie.xml | 4 ++-- xml/System.Web/SameSiteMode.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xml/System.Web/HttpCookie.xml b/xml/System.Web/HttpCookie.xml index ebdb5ae1782..e809bc30736 100644 --- a/xml/System.Web/HttpCookie.xml +++ b/xml/System.Web/HttpCookie.xml @@ -404,7 +404,7 @@ The property extends the Gets or sets the value for the SameSite attribute of the cookie. - One of the enumeration values that represents the enforcement mode of the cookie or `-1` (represented by the string `Unspecified` in config files). The default value depends on updates. For more information on defaults and recent updates, see Remarks. + One of the enumeration values that represents the enforcement mode of the cookie or `(SameSiteMode)(-1)` (represented by the string `Unspecified` in config files). The default value depends on updates. For more information on defaults and recent updates, see Remarks. , which does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). -After these updates have been applied, the default value is `-1`, which corresponds to `Unspecified`. This preserves the earlier behavior. +After these updates have been applied, the default value is `(SameSiteMode)(-1)`, which corresponds to `Unspecified`. This preserves the earlier behavior. Setting `SameSiteMode.None` causes "SameSite=None" to be emitted. ]]> diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index f4680718d88..d447b6bc4a0 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -87,7 +87,7 @@ On systems where these updates have been applied, you can specify the previous b 2 - When the value is Strict, or if the value is invalid, the cookie will only be sent along with "same-site" requests. + When the value is Strict the cookie will only be sent along with "same-site" requests. From dae4e563fd54af26a1d841d300dbecf16831d930 Mon Sep 17 00:00:00 2001 From: Bill Wagner Date: Tue, 26 Nov 2019 12:15:10 -0500 Subject: [PATCH 11/11] final proofread updates. --- xml/System.Web/HttpCookie.xml | 2 +- xml/System.Web/SameSiteMode.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/xml/System.Web/HttpCookie.xml b/xml/System.Web/HttpCookie.xml index e809bc30736..53d07f4f3de 100644 --- a/xml/System.Web/HttpCookie.xml +++ b/xml/System.Web/HttpCookie.xml @@ -413,7 +413,7 @@ The default value of this property was modifed by updates described in [KB artic Without these updates, the default value is , which does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). -After these updates have been applied, the default value is `(SameSiteMode)(-1)`, which corresponds to `Unspecified`. This preserves the earlier behavior. Setting `SameSiteMode.None` causes "SameSite=None" to be emitted. +After these updates have been applied, the default value is `(SameSiteMode)(-1)`, which corresponds to `Unspecified`. This preserves the earlier behavior. Setting `SameSiteMode.None` causes "SameSite=None" to be emitted. This new behavior conforms to [https://tools.ietf.org/html/draft-west-cookie-incrementalism-00](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). ]]> diff --git a/xml/System.Web/SameSiteMode.xml b/xml/System.Web/SameSiteMode.xml index d447b6bc4a0..5bb6d33455c 100644 --- a/xml/System.Web/SameSiteMode.xml +++ b/xml/System.Web/SameSiteMode.xml @@ -23,7 +23,7 @@ The behavior of was modified by up Without these updates, the value does not emit the `SameSite` cookie header. This conforms to [https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1). -After these updates have been applied, the value emits the `SameSite=None` cookie header. This new behavior conforms to [update](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = `Lax` instead of the previous default of `None`, though these values can be overridden in web.config. +After these updates have been applied, the value emits the `SameSite=None` cookie header. This new behavior conforms to [https://tools.ietf.org/html/draft-west-cookie-incrementalism-00](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00). As part of this change, FormsAuth and SessionState cookies will be issued with SameSite = `Lax` instead of the previous default of `None`, though these values can be overridden in web.config. On systems where these updates have been applied, you can specify the previous behavior by setting the `SameSiteMode` to `(SameSiteMode)(-1)`. You can specify this behavior using the string `Unspecified` in web.config. ]]>