HttpExtension: added option sameSiteProtection and Request::isSameSite()

dg · dg · commit 4493f9b48d5e · 2018-08-31T01:01:03.000+02:00
diff --git a/src/Bridges/HttpDI/HttpExtension.php b/src/Bridges/HttpDI/HttpExtension.php
@@ -28,6 +28,7 @@ class HttpExtension extends Nette\DI\CompilerExtension
 		'cspReportOnly' => [], // Content-Security-Policy-Report-Only
 		'featurePolicy' => [], // Feature-Policy
 		'secureCookie' => 'auto', // true|false|auto  Whether the cookie is available only through HTTPS
+		'sameSiteProtection' => null, // activate Response::isSameSite() protection
 	];
 
 	/** @var bool */
@@ -127,6 +128,10 @@ public function afterCompile(Nette\PhpGenerator\ClassType $class)
 				$initialize->addBody('$this->getService(?)->setHeader(?, ?);', [$this->prefix('response'), $key, $value]);
 			}
 		}
+
+		if (!empty($config['sameSiteProtection'])) {
+			$initialize->addBody('$this->getService(?)->setCookie(...?);', [$this->prefix('response'), ['nette-samesite', '1', 0, null, null, null, true, 'Strict']]);
+		}
 	}
 
 
diff --git a/src/Http/Request.php b/src/Http/Request.php
@@ -227,6 +227,15 @@ public function isSecured(): bool
 	}
 
 
+	/**
+	 * Is the request sent from the same origin?
+	 */
+	public function isSameSite(): bool
+	{
+		return !empty($this->cookies['nette-samesite']);
+	}
+
+
 	/**
 	 * Is AJAX request?
 	 */
diff --git a/tests/Http.DI/HttpExtension.sameSiteProtection.phpt b/tests/Http.DI/HttpExtension.sameSiteProtection.phpt
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+use Nette\Bridges\HttpDI\HttpExtension;
+use Nette\Bridges\HttpDI\SessionExtension;
+use Nette\DI;
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+
+if (PHP_SAPI === 'cli') {
+	Tester\Environment::skip('Headers are not testable in CLI mode');
+}
+
+
+$compiler = new DI\Compiler;
+$compiler->addExtension('http', new HttpExtension);
+$compiler->addExtension('session', new SessionExtension(false, PHP_SAPI === 'cli'));
+
+$loader = new DI\Config\Loader;
+$config = $loader->load(Tester\FileMock::create('
+http:
+	sameSiteProtection: yes
+', 'neon'));
+
+eval($compiler->addConfig($config)->compile());
+
+$container = new Container;
+$container->initialize();
+
+$headers = headers_list();
+Assert::contains(
+	PHP_VERSION_ID >= 70300
+		? 'Set-Cookie: nette-samesite=1; path=/; HttpOnly; SameSite=Strict'
+		: 'Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly',
+	$headers
+);
+Assert::same('Lax', $container->getService('session.session')->getOptions()['cookie_samesite']);

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ class HttpExtension extends Nette\DI\CompilerExtension`
`28`	`28`	`'cspReportOnly' => [], // Content-Security-Policy-Report-Only`
`29`	`29`	`'featurePolicy' => [], // Feature-Policy`
`30`	`30`	`'secureCookie' => 'auto', // true\|false\|auto Whether the cookie is available only through HTTPS`
	`31`	`+ 'sameSiteProtection' => null, // activate Response::isSameSite() protection`
`31`	`32`	`];`
`32`	`33`
`33`	`34`	`/** @var bool */`
`@@ -127,6 +128,10 @@ public function afterCompile(Nette\PhpGenerator\ClassType $class)`
`127`	`128`	`$initialize->addBody('$this->getService(?)->setHeader(?, ?);', [$this->prefix('response'), $key, $value]);`
`128`	`129`	`}`
`129`	`130`	`}`
	`131`	`+`
	`132`	`+ if (!empty($config['sameSiteProtection'])) {`
	`133`	`+ $initialize->addBody('$this->getService(?)->setCookie(...?);', [$this->prefix('response'), ['nette-samesite', '1', 0, null, null, null, true, 'Strict']]);`
	`134`	`+ }`
`130`	`135`	`}`
`131`	`136`
`132`	`137`