using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Http; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Hosting; namespace WebSameSite { public class Startup31 { public Startup31(IConfiguration configuration) { Configuration = configuration; } public IConfiguration Configuration { get; } #region snippet public void ConfigureServices(IServiceCollection services) { services.Configure(options => { options.MinimumSameSitePolicy = SameSiteMode.Unspecified; options.OnAppendCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); options.OnDeleteCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); }); services.AddRazorPages(); } private void CheckSameSite(HttpContext httpContext, CookieOptions options) { if (options.SameSite == SameSiteMode.None) { var userAgent = httpContext.Request.Headers["User-Agent"].ToString(); #region snippet2 if (MyUserAgentDetectionLib.DisallowsSameSiteNone(userAgent)) { options.SameSite = SameSiteMode.Unspecified; } #endregion } } #endregion public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseExceptionHandler("/Error"); app.UseHsts(); } app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseRouting(); app.UseCookiePolicy(); app.UseAuthentication(); app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapRazorPages(); }); } } public static class MyUserAgentDetectionLib { #region snippetX public static bool DisallowsSameSiteNone(string userAgent) { // Check if a null or empty string has been passed in, since this // will cause further interrogation of the useragent to fail. if (String.IsNullOrWhiteSpace(userAgent)) return false; // Cover all iOS based browsers here. This includes: // - Safari on iOS 12 for iPhone, iPod Touch, iPad // - WkWebview on iOS 12 for iPhone, iPod Touch, iPad // - Chrome on iOS 12 for iPhone, iPod Touch, iPad // All of which are broken by SameSite=None, because they use the iOS networking // stack. if (userAgent.Contains("CPU iPhone OS 12") || userAgent.Contains("iPad; CPU OS 12")) { return true; } // Cover Mac OS X based browsers that use the Mac OS networking stack. // This includes: // - Safari on Mac OS X. // This does not include: // - Chrome on Mac OS X // Because they do not use the Mac OS networking stack. if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") && userAgent.Contains("Version/") && userAgent.Contains("Safari")) { return true; } // Cover Chrome 50-69, because some versions are broken by SameSite=None, // and none in this range require it. // Note: this covers some pre-Chromium Edge versions, // but pre-Chromium Edge does not require SameSite=None. if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6")) { return true; } return false; } #endregion } } /* // // Summary: // Used to set the SameSite field on response cookies to indicate if those cookies // should be included by the client on future "same-site" or "cross-site" requests. // RFC Draft: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1 public enum SameSiteMode { // // Summary: // No SameSite field will be set, the client should follow its default cookie policy. Unspecified = -1, // // Summary: // Indicates the client should disable same-site restrictions. None = 0, // // Summary: // Indicates the client should send the cookie with "same-site" requests, and with // "cross-site" top-level navigations. Lax = 1, // // Summary: // Indicates the client should only send the cookie with "same-site" requests. Strict = 2 } } */