Add support for SameSite=None

oreoshake · oreoshake · commit 623ac24495e6 · 2020-01-07T12:14:34.000-10:00
Fixes #412
diff --git a/Gemfile b/Gemfile
@@ -17,7 +17,7 @@ end
 
 group :guard do
   gem "growl"
-  gem "guard-rspec", platforms: [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
+  gem "guard-rspec", platforms: [:ruby]
   gem "rb-fsevent"
   gem "terminal-notifier-guard"
 end
diff --git a/lib/secure_headers/headers/cookie.rb b/lib/secure_headers/headers/cookie.rb
@@ -94,12 +94,14 @@ def samesite_cookie
         "SameSite=Lax"
       elsif flag_samesite_strict?
         "SameSite=Strict"
+      elsif flag_samesite_none?
+        "SameSite=None"
       end
     end
 
     def flag_samesite?
       return false if config == OPT_OUT || config[:samesite] == OPT_OUT
-      flag_samesite_lax? || flag_samesite_strict?
+      flag_samesite_lax? || flag_samesite_strict? || flag_samesite_none?
     end
 
     def flag_samesite_lax?
@@ -110,6 +112,10 @@ def flag_samesite_strict?
       flag_samesite_enforcement?(:strict)
     end
 
+    def flag_samesite_none?
+      flag_samesite_enforcement?(:none)
+    end
+
     def flag_samesite_enforcement?(mode)
       return unless config[:samesite]
 
diff --git a/lib/secure_headers/utils/cookies_config.rb b/lib/secure_headers/utils/cookies_config.rb
@@ -43,10 +43,12 @@ def validate_samesite_config!
 
     # when configuring with booleans, only one enforcement is permitted
     def validate_samesite_boolean_config!
-      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
-      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
-        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
+      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && (config[:samesite].key?(:strict) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax with strict or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:none))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure strict with lax or no enforcement is not permitted.")
+      elsif config[:samesite].key?(:none) && config[:samesite][:none].is_a?(TrueClass) && (config[:samesite].key?(:lax) || config[:samesite].key?(:strict))
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure no enforcement with lax or strict is not permitted.")
       end
     end
 
diff --git a/spec/lib/secure_headers/headers/cookie_spec.rb b/spec/lib/secure_headers/headers/cookie_spec.rb
@@ -93,6 +93,21 @@ module SecureHeaders
         expect(cookie.to_s).to eq("_session=thisisatest")
       end
 
+      it "flags SameSite=None" do
+        cookie = Cookie.new(raw_cookie, samesite: { none: { only: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=None")
+      end
+
+      it "flags SameSite=None when configured with a boolean" do
+        cookie = Cookie.new(raw_cookie, samesite: { none: true}, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest; SameSite=None")
+      end
+
+      it "does not flag cookies as SameSite=none when excluded" do
+        cookie = Cookie.new(raw_cookie, samesite: { none: { except: ["_session"] } }, secure: OPT_OUT, httponly: OPT_OUT)
+        expect(cookie.to_s).to eq("_session=thisisatest")
+      end
+
       it "flags SameSite=Strict when configured with a boolean" do
         cookie = Cookie.new(raw_cookie, {samesite: { strict: true}, secure: OPT_OUT, httponly: OPT_OUT})
         expect(cookie.to_s).to eq("_session=thisisatest; SameSite=Strict")
@@ -155,6 +170,30 @@ module SecureHeaders
       end.to raise_error(CookiesConfigError)
     end
 
+    it "raises an exception when SameSite lax and none enforcement modes are configured with booleans" do
+      expect do
+        Cookie.validate_config!(samesite: { lax: true, none: true})
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when SameSite strict and none enforcement modes are configured with booleans" do
+      expect do
+        Cookie.validate_config!(samesite: { strict: true, none: true})
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when SameSite none and lax enforcement modes are configured with booleans" do
+      expect do
+        Cookie.validate_config!(samesite: { none: true, lax: true})
+      end.to raise_error(CookiesConfigError)
+    end
+
+    it "raises an exception when SameSite none and strict enforcement modes are configured with booleans" do
+      expect do
+        Cookie.validate_config!(samesite: { none: true, strict: true})
+      end.to raise_error(CookiesConfigError)
+    end
+
     it "raises an exception when SameSite lax and strict enforcement modes are configured with booleans" do
       expect do
         Cookie.validate_config!(samesite: { lax: true, strict: { only: ["_anything"] } })
