Merge pull request rails#45501 from ghiculescu/same-site-false

jonathanhefner · web-flow · commit c0f71dac7018 · 2022-07-05T11:06:45.000-05:00
Allow opting out of the `SameSite` cookie attribute when setting a cookie
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,13 @@
+*   Allow opting out of the `SameSite` cookie attribute when setting a cookie.
+
+    You can opt out of `SameSite` by passing `same_site: nil`.
+
+    `cookies[:foo] = { value: "bar", same_site: nil }`
+
+    Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting.
+
+    *Alex Ghiculescu*
+
 *   Allow using `helper_method`s in `content_security_policy` and `permissions_policy`
 
     Previously you could access basic helpers (defined in helper modules), but not
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -453,8 +453,9 @@ def handle_options(options)
 
           options[:path]      ||= "/"
 
-          cookies_same_site_protection = request.cookies_same_site_protection
-          options[:same_site] ||= cookies_same_site_protection.call(request)
+          unless options.key?(:same_site)
+            options[:same_site] = request.cookies_same_site_protection.call(request)
+          end
 
           if options[:domain] == :all || options[:domain] == "all"
             # If there is a provided tld length then we use it otherwise default domain regexp.
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
@@ -334,6 +334,16 @@ def rails_5_2_stable_signed_cookie_with_authenticated_encryption_flag_off
 
       head :ok
     end
+
+    def set_same_site_strict
+      cookies["user_name"] = { value: "david", same_site: :strict }
+      head :ok
+    end
+
+    def set_same_site_nil
+      cookies["user_name"] = { value: "david", same_site: nil }
+      head :ok
+    end
   end
 
   tests TestController
@@ -362,15 +372,15 @@ def setup
     @request.host = "www.nextangle.com"
   end
 
-  def test_setting_cookie_with_no_protection
+  def test_setting_cookie_with_no_same_site_protection
     @request.env["action_dispatch.cookies_same_site_protection"] = proc { :none }
 
     get :authenticate
     assert_cookie_header "user_name=david; path=/; SameSite=None"
     assert_equal({ "user_name" => "david" }, @response.cookies)
   end
 
-  def test_setting_cookie_with_protection_proc_normal_user_agent
+  def test_setting_cookie_with_same_site_protection_proc_normal_user_agent
     @request.env["action_dispatch.cookies_same_site_protection"] = Proc.new do |request|
       :strict unless request.user_agent == "spooky browser"
     end
@@ -380,7 +390,7 @@ def test_setting_cookie_with_protection_proc_normal_user_agent
     assert_equal({ "user_name" => "david" }, @response.cookies)
   end
 
-  def test_setting_cookie_with_protection_proc_special_user_agent
+  def test_setting_cookie_with_same_site_protection_proc_special_user_agent
     @request.env["action_dispatch.cookies_same_site_protection"] = Proc.new do |request|
       :strict unless request.user_agent == "spooky browser"
     end
@@ -391,7 +401,7 @@ def test_setting_cookie_with_protection_proc_special_user_agent
     assert_equal({ "user_name" => "david" }, @response.cookies)
   end
 
-  def test_setting_cookie_with_misspelled_protection_raises
+  def test_setting_cookie_with_misspelled_same_site_protection_raises
     @request.env["action_dispatch.cookies_same_site_protection"] = proc { :funky }
 
     error = assert_raise ArgumentError do
@@ -400,14 +410,38 @@ def test_setting_cookie_with_misspelled_protection_raises
     assert_match "Invalid SameSite value: :funky", error.message
   end
 
-  def test_setting_cookie_with_strict
+  def test_setting_cookie_with_same_site_strict
     @request.env["action_dispatch.cookies_same_site_protection"] = proc { :strict }
 
     get :authenticate
     assert_cookie_header "user_name=david; path=/; SameSite=Strict"
     assert_equal({ "user_name" => "david" }, @response.cookies)
   end
 
+  def test_setting_cookie_with_same_site_nil
+    @request.env["action_dispatch.cookies_same_site_protection"] = proc { nil }
+
+    get :authenticate
+    assert_cookie_header "user_name=david; path=/"
+    assert_equal({ "user_name" => "david" }, @response.cookies)
+  end
+
+  def test_setting_cookie_with_specific_same_site_strict
+    @request.env["action_dispatch.cookies_same_site_protection"] = proc { :lax }
+
+    get :set_same_site_strict
+    assert_cookie_header "user_name=david; path=/; SameSite=Strict"
+    assert_equal({ "user_name" => "david" }, @response.cookies)
+  end
+
+  def test_setting_cookie_with_specific_same_site_nil
+    @request.env["action_dispatch.cookies_same_site_protection"] = proc { :lax }
+
+    get :set_same_site_nil
+    assert_cookie_header "user_name=david; path=/"
+    assert_equal({ "user_name" => "david" }, @response.cookies)
+  end
+
   def test_setting_cookie
     get :authenticate
     assert_cookie_header "user_name=david; path=/; SameSite=Lax"
