Merge pull request #414 from twitter/add-same-site-none-support

oreoshake · web-flow · commit 390fc00423dc · 2020-01-07T17:25:07.000-10:00
Add support for SameSite=None
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.6.1
+2.6.5
diff --git a/.travis.yml b/.travis.yml
@@ -2,9 +2,9 @@ language: ruby
 
 rvm:
   - ruby-head
-  - 2.6.1
-  - 2.5.0
-  - 2.4.3
+  - 2.5
+  - 2.6
+  - 2.7
   - jruby-head
 
 env:
diff --git a/Gemfile b/Gemfile
@@ -9,15 +9,15 @@ group :test do
   gem "pry-nav"
   gem "rack"
   gem "rspec"
-  gem "rubocop"
+  gem "rubocop", "< 0.68"
   gem "rubocop-github"
   gem "term-ansicolor"
   gem "tins"
 end
 
 group :guard do
   gem "growl"
-  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
+  gem "guard-rspec", platforms: [:ruby]
   gem "rb-fsevent"
   gem "terminal-notifier-guard"
 end
diff --git a/docs/cookies.md b/docs/cookies.md
@@ -52,13 +52,14 @@ config.cookies = {
 }
 ```
 
-`Strict` and `Lax` enforcement modes can also be specified using a Hash.
+`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
 
 ```ruby
 config.cookies = {
   samesite: {
     strict: { only: ['_rails_session'] },
-    lax: { only: ['_guest'] }
+    lax: { only: ['_guest'] },
+    none: { only: ['_tracking'] },
   }
 }
 ```
diff --git a/lib/secure_headers/headers/cookie.rb b/lib/secure_headers/headers/cookie.rb
@@ -94,12 +94,14 @@ def samesite_cookie
         "SameSite=Lax"
       elsif flag_samesite_strict?
         "SameSite=Strict"
+      elsif flag_samesite_none?
+        "SameSite=None"
       end
     end
 
     def flag_samesite?
       return false if config == OPT_OUT || config[:samesite] == OPT_OUT
-      flag_samesite_lax? || flag_samesite_strict?
+      flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
     end
 
     def flag_samesite_lax?
@@ -110,6 +112,10 @@ def flag_samesite_strict?
       flag_samesite_enforcement?(:strict)
     end
 
+    def flag_samesite_none?
+      flag_samesite_enforcement?(:none)
+    end
+
     def flag_samesite_enforcement?(mode)
       return unless config[:samesite]
 
diff --git a/lib/secure_headers/utils/cookies_config.rb b/lib/secure_headers/utils/cookies_config.rb
@@ -43,10 +43,12 @@ def validate_samesite_config!
 
     # when configuring with booleans, only one enforcement is permitted
     def validate_samesite_boolean_config!
-      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
-      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
+      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
       end
     end
 
diff --git a/spec/lib/secure_headers/headers/cookie_spec.rb b/spec/lib/secure_headers/headers/cookie_spec.rb
@@ -68,29 +68,21 @@ module SecureHeaders
     end
 
     context "SameSite cookies" do
-      it "flags SameSite=Lax" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
-      end
-
-      it "flags SameSite=Lax when configured with a boolean" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: true}, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Lax")
-      end
-
-      it "does not flag cookies as SameSite=Lax when excluded" do
-        cookie = Cookie.new(raw_cookie, samesite: { lax: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest")
-      end
+      %w(None Lax Strict).each do |flag|
+        it "flags SameSite=#{flag}" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
+        end
 
-      it "flags SameSite=Strict" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
-      end
+        it "flags SameSite=#{flag} when configured with a boolean" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => true}, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest; SameSite=#{flag}")
+        end
 
-      it "does not flag cookies as SameSite=Strict when excluded" do
-        cookie = Cookie.new(raw_cookie, samesite: { strict: { except: ["_session"] }}, secure: OPT_OUT, httponly: OPT_OUT)
-        expect(cookie.to_s).to eq("_session=thisisatest")
+        it "does not flag cookies as SameSite=#{flag} when excluded" do
+          cookie = Cookie.new(raw_cookie, samesite: { flag.downcase.to_sym => { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+          expect(cookie.to_s).to eq("_session=thisisatest")
+        end
       end
 
       it "flags SameSite=Strict when configured with a boolean" do
@@ -149,10 +141,15 @@ module SecureHeaders
       end.to raise_error(CookiesConfigError)
     end
 
-    it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
-      expect do
-        Cookie.validate_config!(samesite: { lax: true, strict: true})
-      end.to raise_error(CookiesConfigError)
+    cookie_options = %i(none lax strict)
+    cookie_options.each do |flag|
+      (cookie_options - [flag]).each do |other_flag|
+        it "raises an exception when SameSite #{flag} and #{other_flag} enforcement modes are configured with booleans" do
+          expect do
+            Cookie.validate_config!(samesite: { flag => true, other_flag => true})
+          end.to raise_error(CookiesConfigError)
+        end
+      end
     end
 
     it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do

Original file line number	Diff line number	Diff line change
`@@ -52,13 +52,14 @@ config.cookies = {`
`52`	`52`	`}`
`53`	`53`	```
`54`	`54`
`55`		-`Strict` and `Lax` enforcement modes can also be specified using a Hash.
	`55`	+`Strict`, `Lax`, and `None` enforcement modes can also be specified using a Hash.
`56`	`56`
`57`	`57`	```ruby
`58`	`58`	`config.cookies = {`
`59`	`59`	`samesite: {`
`60`	`60`	`strict: { only: ['_rails_session'] },`
`61`		`- lax: { only: ['_guest'] }`
	`61`	`+ lax: { only: ['_guest'] },`
	`62`	`+ none: { only: ['_tracking'] },`
`62`	`63`	`}`
`63`	`64`	`}`
`64`	`65`	```