bug #36173 [Http Foundation] Fix clear cookie samesite (guillbdx)
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Http Foundation] Fix clear cookie samesite
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #36107
| License | MIT
With Chrome Update 80, Cookies are required to be `secure` and `samesite=none` for cross site requests. However they are defaulted to `samesite=lax` if the samesite attribute is not set. In other words: developer has to explicitely opt-in for `samesite=none` in the case of a cross site request.
More details: https://chromestatus.com/feature/5088147346030592
We add the `samesite` argument to `clearCookie` method to allow developer to explicitely set this value.
Commits
-------
4bdea1f2e7
[Http Foundation] Fix clear cookie samesite
This commit is contained in:
commit
b4ec8b9a82
@ -244,10 +244,13 @@ class ResponseHeaderBag extends HeaderBag
|
|||||||
* @param string $domain
|
* @param string $domain
|
||||||
* @param bool $secure
|
* @param bool $secure
|
||||||
* @param bool $httpOnly
|
* @param bool $httpOnly
|
||||||
|
* @param string $sameSite
|
||||||
*/
|
*/
|
||||||
public function clearCookie($name, $path = '/', $domain = null, $secure = false, $httpOnly = true)
|
public function clearCookie($name, $path = '/', $domain = null, $secure = false, $httpOnly = true/*, $sameSite = null*/)
|
||||||
{
|
{
|
||||||
$this->setCookie(new Cookie($name, null, 1, $path, $domain, $secure, $httpOnly));
|
$sameSite = \func_num_args() > 5 ? func_get_arg(5) : null;
|
||||||
|
|
||||||
|
$this->setCookie(new Cookie($name, null, 1, $path, $domain, $secure, $httpOnly, false, $sameSite));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -128,6 +128,14 @@ class ResponseHeaderBagTest extends TestCase
|
|||||||
$this->assertSetCookieHeader('foo=deleted; expires='.gmdate('D, d-M-Y H:i:s T', time() - 31536001).'; Max-Age=0; path=/; secure', $bag);
|
$this->assertSetCookieHeader('foo=deleted; expires='.gmdate('D, d-M-Y H:i:s T', time() - 31536001).'; Max-Age=0; path=/; secure', $bag);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testClearCookieSamesite()
|
||||||
|
{
|
||||||
|
$bag = new ResponseHeaderBag([]);
|
||||||
|
|
||||||
|
$bag->clearCookie('foo', '/', null, true, false, 'none');
|
||||||
|
$this->assertSetCookieHeader('foo=deleted; expires='.gmdate('D, d-M-Y H:i:s T', time() - 31536001).'; Max-Age=0; path=/; secure; samesite=none', $bag);
|
||||||
|
}
|
||||||
|
|
||||||
public function testReplace()
|
public function testReplace()
|
||||||
{
|
{
|
||||||
$bag = new ResponseHeaderBag([]);
|
$bag = new ResponseHeaderBag([]);
|
||||||
|
Reference in New Issue
Block a user