From: Eric Covener Date: Sat, 8 Feb 2020 01:14:28 +0000 (+0000) Subject: add SameSite to RewriteRule ... ... [CO] X-Git-Tag: 2.5.0-alpha2-ci-test-only~1672 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a98d6a4cd12380ebbd516071090297814b9d010f;p=thirdparty%2Fapache%2Fhttpd.git add SameSite to RewriteRule ... ... [CO] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1873762 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 821aff66d76..ef8c44db3f1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a + SameSite attribute. [Eric Covener] + *) Update DOCTYPE tags in server-generated HTML. PR62989. [Andra Farkas , Giovanni Bechis ] diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml index 7e9963f58ad..961c7c313fa 100644 --- a/docs/manual/mod/mod_rewrite.xml +++ b/docs/manual/mod/mod_rewrite.xml @@ -1343,7 +1343,7 @@ cannot use $N in the substitution string! cookie|CO=NAME:VAL Sets a cookie in the client browser. Full syntax is: - CO=NAME:VAL:domain[:lifetime[:path[:secure[:httponly]]]] details ... + CO=NAME:VAL:domain[:lifetime[:path[:secure[:httponly[samesite]]]]] details ... diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml index cd9fe971caf..67bf9cf99dc 100644 --- a/docs/manual/rewrite/flags.xml +++ b/docs/manual/rewrite/flags.xml @@ -134,14 +134,14 @@ skipped.

CO|cookie

The [CO], or [cookie] flag, allows you to set a cookie when a particular RewriteRule -matches. The argument consists of three required fields and four optional +matches. The argument consists of three required fields and five optional fields.

The full syntax for the flag, including all attributes, is as follows:

-[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly] +[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly:samesite]

If a literal ':' character is needed in any of the cookie fields, an @@ -150,7 +150,7 @@ alternate syntax is available. To opt-in to the alternate syntax, the cookie specified as ';'.

-[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly] +[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly;samesite]

You must declare a name, a value, and a domain for the cookie to be set.

@@ -191,6 +191,12 @@ connections. which means that the cookie is inaccessible to JavaScript code on browsers that support this feature. +
samesite
+
If set to anything other than 0, the SameSite +attribute is set to the specified value. Typical values are None, +Lax, and Strict.Available in 2.5.1 and later.
+ +

Consider this example:

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index ad90d60dcfb..f35752b0e19 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -2581,6 +2581,7 @@ static void add_cookie(request_rec *r, char *s) char *path; char *secure; char *httponly; + char *samesite; char *tok_cntx; char *cookie; @@ -2615,6 +2616,7 @@ static void add_cookie(request_rec *r, char *s) path = expires ? apr_strtok(NULL, sep, &tok_cntx) : NULL; secure = path ? apr_strtok(NULL, sep, &tok_cntx) : NULL; httponly = secure ? apr_strtok(NULL, sep, &tok_cntx) : NULL; + samesite = httponly ? apr_strtok(NULL, sep, &tok_cntx) : NULL; if (expires) { apr_time_exp_t tms; @@ -2654,6 +2656,11 @@ static void add_cookie(request_rec *r, char *s) "; HttpOnly" : NULL, NULL); + if (samesite && !strcasecmp(samesite, "0")) { + cookie = apr_pstrcat(rmain->pool, cookie, "; SameSite=", + samesite, NULL); + } + apr_table_addn(rmain->err_headers_out, "Set-Cookie", cookie); apr_pool_userdata_set("set", notename, NULL, rmain->pool); rewritelog(rmain, 5, NULL, "setting cookie '%s'", cookie);