From aeb24b6189fd35b874ff9efd1c2b1cf69c0d4b63 Mon Sep 17 00:00:00 2001 From: Chris R Date: Thu, 28 Feb 2019 12:42:59 -0800 Subject: [PATCH 1/2] Change SameSite default to None #2675 #4661 --- .../Http.Abstractions/src/CookieBuilder.cs | 6 +- src/Http/Http.Features/src/CookieOptions.cs | 4 +- .../content/RazorPagesWeb-CSharp/Startup.cs | 1 - .../content/StarterWeb-CSharp/Startup.cs | 1 - .../CookiePolicy/src/CookiePolicyOptions.cs | 4 +- .../CookiePolicy/test/CookieChunkingTests.cs | 33 ++++------ .../CookiePolicy/test/CookieConsentTests.cs | 26 ++++---- .../CookiePolicy/test/CookiePolicyTests.cs | 64 +++++++++---------- 8 files changed, 66 insertions(+), 73 deletions(-) diff --git a/src/Http/Http.Abstractions/src/CookieBuilder.cs b/src/Http/Http.Abstractions/src/CookieBuilder.cs index 5c0db2a46f2b..bbaaf07d1fd4 100644 --- a/src/Http/Http.Abstractions/src/CookieBuilder.cs +++ b/src/Http/Http.Abstractions/src/CookieBuilder.cs @@ -1,4 +1,4 @@ -// Copyright (c) .NET Foundation. All rights reserved. +// Copyright (c) .NET Foundation. All rights reserved. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. using System; @@ -49,12 +49,12 @@ public virtual string Name public virtual bool HttpOnly { get; set; } /// - /// The SameSite attribute of the cookie. The default value is + /// The SameSite attribute of the cookie. The default value is /// /// /// Determines the value that will set on . /// - public virtual SameSiteMode SameSite { get; set; } = SameSiteMode.Lax; + public virtual SameSiteMode SameSite { get; set; } = SameSiteMode.None; /// /// The policy that will be used to determine . diff --git a/src/Http/Http.Features/src/CookieOptions.cs b/src/Http/Http.Features/src/CookieOptions.cs index 27141a32f286..81e883bd5615 100644 --- a/src/Http/Http.Features/src/CookieOptions.cs +++ b/src/Http/Http.Features/src/CookieOptions.cs @@ -43,10 +43,10 @@ public CookieOptions() public bool Secure { get; set; } /// - /// Gets or sets the value for the SameSite attribute of the cookie. The default value is + /// Gets or sets the value for the SameSite attribute of the cookie. The default value is /// /// The representing the enforcement mode of the cookie. - public SameSiteMode SameSite { get; set; } = SameSiteMode.Lax; + public SameSiteMode SameSite { get; set; } = SameSiteMode.None; /// /// Gets or sets a value that indicates whether a cookie is accessible by client-side script. diff --git a/src/ProjectTemplates/Web.ProjectTemplates/content/RazorPagesWeb-CSharp/Startup.cs b/src/ProjectTemplates/Web.ProjectTemplates/content/RazorPagesWeb-CSharp/Startup.cs index 2a23c083f43a..755e3d6ef164 100644 --- a/src/ProjectTemplates/Web.ProjectTemplates/content/RazorPagesWeb-CSharp/Startup.cs +++ b/src/ProjectTemplates/Web.ProjectTemplates/content/RazorPagesWeb-CSharp/Startup.cs @@ -58,7 +58,6 @@ public void ConfigureServices(IServiceCollection services) { // This lambda determines whether user consent for non-essential cookies is needed for a given request. options.CheckConsentNeeded = context => true; - options.MinimumSameSitePolicy = SameSiteMode.None; }); #if (IndividualLocalAuth) diff --git a/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/Startup.cs b/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/Startup.cs index e16cfd104c5f..05e98d0a576b 100644 --- a/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/Startup.cs +++ b/src/ProjectTemplates/Web.ProjectTemplates/content/StarterWeb-CSharp/Startup.cs @@ -58,7 +58,6 @@ public void ConfigureServices(IServiceCollection services) { // This lambda determines whether user consent for non-essential cookies is needed for a given request. options.CheckConsentNeeded = context => true; - options.MinimumSameSitePolicy = SameSiteMode.None; }); #if (IndividualLocalAuth) diff --git a/src/Security/CookiePolicy/src/CookiePolicyOptions.cs b/src/Security/CookiePolicy/src/CookiePolicyOptions.cs index 32d047297ac5..4f0806c46c95 100644 --- a/src/Security/CookiePolicy/src/CookiePolicyOptions.cs +++ b/src/Security/CookiePolicy/src/CookiePolicyOptions.cs @@ -15,7 +15,7 @@ public class CookiePolicyOptions /// /// Affects the cookie's same site attribute. /// - public SameSiteMode MinimumSameSitePolicy { get; set; } = SameSiteMode.Lax; + public SameSiteMode MinimumSameSitePolicy { get; set; } = SameSiteMode.None; /// /// Affects whether cookies must be HttpOnly. @@ -49,4 +49,4 @@ public class CookiePolicyOptions /// public Action OnDeleteCookie { get; set; } } -} \ No newline at end of file +} diff --git a/src/Security/CookiePolicy/test/CookieChunkingTests.cs b/src/Security/CookiePolicy/test/CookieChunkingTests.cs index e645745b3514..59c45f05b7c7 100644 --- a/src/Security/CookiePolicy/test/CookieChunkingTests.cs +++ b/src/Security/CookiePolicy/test/CookieChunkingTests.cs @@ -18,7 +18,7 @@ public void AppendLargeCookie_Appended() new ChunkingCookieManager() { ChunkSize = null }.AppendResponseCookie(context, "TestCookie", testString, new CookieOptions()); var values = context.Response.Headers["Set-Cookie"]; Assert.Single(values); - Assert.Equal("TestCookie=" + testString + "; path=/; samesite=lax", values[0]); + Assert.Equal("TestCookie=" + testString + "; path=/", values[0]); } [Fact] @@ -29,18 +29,13 @@ public void AppendLargeCookieWithLimit_Chunked() string testString = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; new ChunkingCookieManager() { ChunkSize = 44 }.AppendResponseCookie(context, "TestCookie", testString, new CookieOptions()); var values = context.Response.Headers["Set-Cookie"]; - Assert.Equal(9, values.Count); + Assert.Equal(4, values.Count); Assert.Equal(new[] { - "TestCookie=chunks-8; path=/; samesite=lax", - "TestCookieC1=abcdefgh; path=/; samesite=lax", - "TestCookieC2=ijklmnop; path=/; samesite=lax", - "TestCookieC3=qrstuvwx; path=/; samesite=lax", - "TestCookieC4=yz012345; path=/; samesite=lax", - "TestCookieC5=6789ABCD; path=/; samesite=lax", - "TestCookieC6=EFGHIJKL; path=/; samesite=lax", - "TestCookieC7=MNOPQRST; path=/; samesite=lax", - "TestCookieC8=UVWXYZ; path=/; samesite=lax", + "TestCookie=chunks-3; path=/", + "TestCookieC1=abcdefghijklmnopqrstuv; path=/", + "TestCookieC2=wxyz0123456789ABCDEFGH; path=/", + "TestCookieC3=IJKLMNOPQRSTUVWXYZ; path=/", }, values); } @@ -117,14 +112,14 @@ public void DeleteChunkedCookieWithOptions_AllDeleted() Assert.Equal(8, cookies.Count); Assert.Equal(new[] { - "TestCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax", - "TestCookieC1=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax", - "TestCookieC2=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax", - "TestCookieC3=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax", - "TestCookieC4=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax", - "TestCookieC5=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax", - "TestCookieC6=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax", - "TestCookieC7=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/; samesite=lax", + "TestCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/", + "TestCookieC1=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/", + "TestCookieC2=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/", + "TestCookieC3=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/", + "TestCookieC4=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/", + "TestCookieC5=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/", + "TestCookieC6=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/", + "TestCookieC7=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=foo.com; path=/", }, cookies); } } diff --git a/src/Security/CookiePolicy/test/CookieConsentTests.cs b/src/Security/CookiePolicy/test/CookieConsentTests.cs index fffb8cc88351..ffe8c30619ea 100644 --- a/src/Security/CookiePolicy/test/CookieConsentTests.cs +++ b/src/Security/CookiePolicy/test/CookieConsentTests.cs @@ -29,7 +29,7 @@ public async Task ConsentChecksOffByDefault() context.Response.Cookies.Append("Test", "Value"); return Task.CompletedTask; }); - Assert.Equal("Test=Value; path=/; samesite=lax", httpContext.Response.Headers[HeaderNames.SetCookie]); + Assert.Equal("Test=Value; path=/", httpContext.Response.Headers[HeaderNames.SetCookie]); } [Fact] @@ -93,7 +93,7 @@ public async Task NonEssentialCookiesCanBeAllowedViaOnAppendCookie() context.Response.Cookies.Append("Test", "Value", new CookieOptions() { IsEssential = false }); return Task.CompletedTask; }); - Assert.Equal("Test=Value; path=/; samesite=lax", httpContext.Response.Headers[HeaderNames.SetCookie]); + Assert.Equal("Test=Value; path=/", httpContext.Response.Headers[HeaderNames.SetCookie]); } [Fact] @@ -112,7 +112,7 @@ public async Task NeedsConsentDoesNotPreventEssentialCookies() context.Response.Cookies.Append("Test", "Value", new CookieOptions() { IsEssential = true }); return Task.CompletedTask; }); - Assert.Equal("Test=Value; path=/; samesite=lax", httpContext.Response.Headers[HeaderNames.SetCookie]); + Assert.Equal("Test=Value; path=/", httpContext.Response.Headers[HeaderNames.SetCookie]); } [Fact] @@ -165,7 +165,7 @@ public async Task HasConsentReadsRequestCookie() context.Response.Cookies.Append("Test", "Value"); return Task.CompletedTask; }); - Assert.Equal("Test=Value; path=/; samesite=lax", httpContext.Response.Headers[HeaderNames.SetCookie]); + Assert.Equal("Test=Value; path=/", httpContext.Response.Headers[HeaderNames.SetCookie]); } [Fact] @@ -223,12 +223,12 @@ public async Task GrantConsentSetsCookie() Assert.Equal("yes", consentCookie.Value); Assert.True(consentCookie.Expires.HasValue); Assert.True(consentCookie.Expires.Value > DateTimeOffset.Now + TimeSpan.FromDays(364)); - Assert.Equal(Net.Http.Headers.SameSiteMode.Lax, consentCookie.SameSite); + Assert.Equal(Net.Http.Headers.SameSiteMode.None, consentCookie.SameSite); Assert.NotNull(consentCookie.Expires); var testCookie = cookies[1]; Assert.Equal("Test", testCookie.Name); Assert.Equal("Value", testCookie.Value); - Assert.Equal(Net.Http.Headers.SameSiteMode.Lax, testCookie.SameSite); + Assert.Equal(Net.Http.Headers.SameSiteMode.None, testCookie.SameSite); Assert.Null(testCookie.Expires); } @@ -302,7 +302,7 @@ public async Task GrantConsentWhenAlreadyHasItDoesNotSetCookie() return Task.CompletedTask; }); - Assert.Equal("Test=Value; path=/; samesite=lax", httpContext.Response.Headers[HeaderNames.SetCookie]); + Assert.Equal("Test=Value; path=/", httpContext.Response.Headers[HeaderNames.SetCookie]); } [Fact] @@ -400,12 +400,12 @@ public async Task WithdrawConsentDeletesCookie() var testCookie = cookies[0]; Assert.Equal("Test", testCookie.Name); Assert.Equal("Value1", testCookie.Value); - Assert.Equal(Net.Http.Headers.SameSiteMode.Lax, testCookie.SameSite); + Assert.Equal(Net.Http.Headers.SameSiteMode.None, testCookie.SameSite); Assert.Null(testCookie.Expires); var consentCookie = cookies[1]; Assert.Equal(".AspNet.Consent", consentCookie.Name); Assert.Equal("", consentCookie.Value); - Assert.Equal(Net.Http.Headers.SameSiteMode.Lax, consentCookie.SameSite); + Assert.Equal(Net.Http.Headers.SameSiteMode.None, consentCookie.SameSite); Assert.NotNull(consentCookie.Expires); } @@ -486,7 +486,7 @@ public async Task WithdrawConsentAfterResponseHasStartedDoesNotDeleteCookie() var reader = new StreamReader(httpContext.Response.Body); Assert.Equal("Started.Withdrawn.", await reader.ReadToEndAsync()); - Assert.Equal("Test=Value1; path=/; samesite=lax", httpContext.Response.Headers[HeaderNames.SetCookie]); + Assert.Equal("Test=Value1; path=/", httpContext.Response.Headers[HeaderNames.SetCookie]); } [Fact] @@ -512,7 +512,7 @@ public async Task DeleteCookieDoesNotRequireConsent() var testCookie = cookies[0]; Assert.Equal("Test", testCookie.Name); Assert.Equal("", testCookie.Value); - Assert.Equal(Net.Http.Headers.SameSiteMode.Lax, testCookie.SameSite); + Assert.Equal(Net.Http.Headers.SameSiteMode.None, testCookie.SameSite); Assert.NotNull(testCookie.Expires); } @@ -576,7 +576,7 @@ public async Task CreateConsentCookieMatchesGrantConsentCookie() var consentCookie = cookies[0]; Assert.Equal(".AspNet.Consent", consentCookie.Name); Assert.Equal("yes", consentCookie.Value); - Assert.Equal(Net.Http.Headers.SameSiteMode.Lax, consentCookie.SameSite); + Assert.Equal(Net.Http.Headers.SameSiteMode.None, consentCookie.SameSite); Assert.NotNull(consentCookie.Expires); cookies = SetCookieHeaderValue.ParseList(httpContext.Response.Headers["ManualCookie"]); @@ -657,4 +657,4 @@ private Task RunTestAsync(Action configureOpti return server.SendAsync(configureRequest); } } -} \ No newline at end of file +} diff --git a/src/Security/CookiePolicy/test/CookiePolicyTests.cs b/src/Security/CookiePolicy/test/CookiePolicyTests.cs index a2592e55759b..cf233360fa6d 100644 --- a/src/Security/CookiePolicy/test/CookiePolicyTests.cs +++ b/src/Security/CookiePolicy/test/CookiePolicyTests.cs @@ -59,10 +59,10 @@ await RunTest("/secureAlways", transaction => { Assert.NotNull(transaction.SetCookie); - Assert.Equal("A=A; path=/; secure; samesite=lax", transaction.SetCookie[0]); - Assert.Equal("B=B; path=/; secure; samesite=lax", transaction.SetCookie[1]); - Assert.Equal("C=C; path=/; secure; samesite=lax", transaction.SetCookie[2]); - Assert.Equal("D=D; path=/; secure; samesite=lax", transaction.SetCookie[3]); + Assert.Equal("A=A; path=/; secure", transaction.SetCookie[0]); + Assert.Equal("B=B; path=/; secure", transaction.SetCookie[1]); + Assert.Equal("C=C; path=/; secure", transaction.SetCookie[2]); + Assert.Equal("D=D; path=/; secure", transaction.SetCookie[3]); })); } @@ -79,10 +79,10 @@ await RunTest("/secureNone", transaction => { Assert.NotNull(transaction.SetCookie); - Assert.Equal("A=A; path=/; samesite=lax", transaction.SetCookie[0]); - Assert.Equal("B=B; path=/; samesite=lax", transaction.SetCookie[1]); - Assert.Equal("C=C; path=/; samesite=lax", transaction.SetCookie[2]); - Assert.Equal("D=D; path=/; secure; samesite=lax", transaction.SetCookie[3]); + Assert.Equal("A=A; path=/", transaction.SetCookie[0]); + Assert.Equal("B=B; path=/", transaction.SetCookie[1]); + Assert.Equal("C=C; path=/", transaction.SetCookie[2]); + Assert.Equal("D=D; path=/; secure", transaction.SetCookie[3]); })); } @@ -99,19 +99,19 @@ await RunTest("/secureSame", transaction => { Assert.NotNull(transaction.SetCookie); - Assert.Equal("A=A; path=/; samesite=lax", transaction.SetCookie[0]); - Assert.Equal("B=B; path=/; samesite=lax", transaction.SetCookie[1]); - Assert.Equal("C=C; path=/; samesite=lax", transaction.SetCookie[2]); - Assert.Equal("D=D; path=/; secure; samesite=lax", transaction.SetCookie[3]); + Assert.Equal("A=A; path=/", transaction.SetCookie[0]); + Assert.Equal("B=B; path=/", transaction.SetCookie[1]); + Assert.Equal("C=C; path=/", transaction.SetCookie[2]); + Assert.Equal("D=D; path=/; secure", transaction.SetCookie[3]); }), new RequestTest("https://example.com/secureSame", transaction => { Assert.NotNull(transaction.SetCookie); - Assert.Equal("A=A; path=/; secure; samesite=lax", transaction.SetCookie[0]); - Assert.Equal("B=B; path=/; secure; samesite=lax", transaction.SetCookie[1]); - Assert.Equal("C=C; path=/; secure; samesite=lax", transaction.SetCookie[2]); - Assert.Equal("D=D; path=/; secure; samesite=lax", transaction.SetCookie[3]); + Assert.Equal("A=A; path=/; secure", transaction.SetCookie[0]); + Assert.Equal("B=B; path=/; secure", transaction.SetCookie[1]); + Assert.Equal("C=C; path=/; secure", transaction.SetCookie[2]); + Assert.Equal("D=D; path=/; secure", transaction.SetCookie[3]); })); } @@ -128,10 +128,10 @@ await RunTest("/httpOnlyAlways", transaction => { Assert.NotNull(transaction.SetCookie); - Assert.Equal("A=A; path=/; samesite=lax; httponly", transaction.SetCookie[0]); - Assert.Equal("B=B; path=/; samesite=lax; httponly", transaction.SetCookie[1]); - Assert.Equal("C=C; path=/; samesite=lax; httponly", transaction.SetCookie[2]); - Assert.Equal("D=D; path=/; samesite=lax; httponly", transaction.SetCookie[3]); + Assert.Equal("A=A; path=/; httponly", transaction.SetCookie[0]); + Assert.Equal("B=B; path=/; httponly", transaction.SetCookie[1]); + Assert.Equal("C=C; path=/; httponly", transaction.SetCookie[2]); + Assert.Equal("D=D; path=/; httponly", transaction.SetCookie[3]); })); } @@ -148,10 +148,10 @@ await RunTest("/httpOnlyNone", transaction => { Assert.NotNull(transaction.SetCookie); - Assert.Equal("A=A; path=/; samesite=lax", transaction.SetCookie[0]); - Assert.Equal("B=B; path=/; samesite=lax", transaction.SetCookie[1]); - Assert.Equal("C=C; path=/; samesite=lax", transaction.SetCookie[2]); - Assert.Equal("D=D; path=/; samesite=lax; httponly", transaction.SetCookie[3]); + Assert.Equal("A=A; path=/", transaction.SetCookie[0]); + Assert.Equal("B=B; path=/", transaction.SetCookie[1]); + Assert.Equal("C=C; path=/", transaction.SetCookie[2]); + Assert.Equal("D=D; path=/; httponly", transaction.SetCookie[3]); })); } @@ -212,7 +212,7 @@ await RunTest("/sameSiteNone", Assert.NotNull(transaction.SetCookie); Assert.Equal("A=A; path=/", transaction.SetCookie[0]); Assert.Equal("B=B; path=/", transaction.SetCookie[1]); - Assert.Equal("C=C; path=/; samesite=lax", transaction.SetCookie[2]); + Assert.Equal("C=C; path=/", transaction.SetCookie[2]); Assert.Equal("D=D; path=/; samesite=lax", transaction.SetCookie[3]); Assert.Equal("E=E; path=/; samesite=strict", transaction.SetCookie[4]); })); @@ -232,7 +232,7 @@ public async Task CookiePolicyCanHijackAppend() { context.Response.Cookies.Append("A", "A"); context.Response.Cookies.Append("B", "B", new CookieOptions { Secure = false }); - context.Response.Cookies.Append("C", "C", new CookieOptions()); + context.Response.Cookies.Append("C", "C", new CookieOptions() { SameSite = Http.SameSiteMode.Strict }); context.Response.Cookies.Append("D", "D", new CookieOptions { Secure = true }); return Task.FromResult(0); }); @@ -242,10 +242,10 @@ public async Task CookiePolicyCanHijackAppend() var transaction = await server.SendAsync("http://example.com/login"); Assert.NotNull(transaction.SetCookie); - Assert.Equal("Hao=Hao; path=/; samesite=lax", transaction.SetCookie[0]); - Assert.Equal("Hao=Hao; path=/; samesite=lax", transaction.SetCookie[1]); - Assert.Equal("Hao=Hao; path=/; samesite=lax", transaction.SetCookie[2]); - Assert.Equal("Hao=Hao; path=/; secure; samesite=lax", transaction.SetCookie[3]); + Assert.Equal("Hao=Hao; path=/", transaction.SetCookie[0]); + Assert.Equal("Hao=Hao; path=/", transaction.SetCookie[1]); + Assert.Equal("Hao=Hao; path=/; samesite=strict", transaction.SetCookie[2]); + Assert.Equal("Hao=Hao; path=/; secure", transaction.SetCookie[3]); } [Fact] @@ -273,7 +273,7 @@ public async Task CookiePolicyCanHijackDelete() Assert.NotNull(transaction.SetCookie); Assert.Equal(1, transaction.SetCookie.Count); - Assert.Equal("A=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure; samesite=lax", transaction.SetCookie[0]); + Assert.Equal("A=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure", transaction.SetCookie[0]); } [Fact] @@ -468,4 +468,4 @@ private async Task RunTest( } } } -} \ No newline at end of file +} From a05d77495939de16d00e1413cd760c2575447d73 Mon Sep 17 00:00:00 2001 From: Chris R Date: Thu, 28 Feb 2019 14:41:48 -0800 Subject: [PATCH 2/2] SameSite for rewrite --- .../Rewrite/test/UrlActions/ChangeCookieActionTests.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Middleware/Rewrite/test/UrlActions/ChangeCookieActionTests.cs b/src/Middleware/Rewrite/test/UrlActions/ChangeCookieActionTests.cs index 08a658e19e18..20096ef1620e 100644 --- a/src/Middleware/Rewrite/test/UrlActions/ChangeCookieActionTests.cs +++ b/src/Middleware/Rewrite/test/UrlActions/ChangeCookieActionTests.cs @@ -30,7 +30,7 @@ public void SetsCookie() var cookieHeaders = context.HttpContext.Response.Headers[HeaderNames.SetCookie]; var header = Assert.Single(cookieHeaders); - Assert.Equal($"Cookie=Chocolate%20Chip; expires={HeaderUtilities.FormatDate(now.AddMinutes(1440))}; domain=contoso.com; path=/recipes; secure; samesite=lax; httponly", header); + Assert.Equal($"Cookie=Chocolate%20Chip; expires={HeaderUtilities.FormatDate(now.AddMinutes(1440))}; domain=contoso.com; path=/recipes; secure; httponly", header); } [Fact] @@ -46,7 +46,7 @@ public void ZeroLifetime() var cookieHeaders = context.HttpContext.Response.Headers[HeaderNames.SetCookie]; var header = Assert.Single(cookieHeaders); - Assert.Equal($"Cookie=Chocolate%20Chip; samesite=lax", header); + Assert.Equal($"Cookie=Chocolate%20Chip", header); } @@ -60,7 +60,7 @@ public void UnsetCookie() var cookieHeaders = context.HttpContext.Response.Headers[HeaderNames.SetCookie]; var header = Assert.Single(cookieHeaders); - Assert.Equal($"Cookie=; samesite=lax", header); + Assert.Equal($"Cookie=", header); } } }