From: Graham Knop <haarg@haarg.org>
Date: Mon, 17 Aug 2020 06:54:12 +0000 (+0200)
Subject: add SameSite support
X-Git-Tag: v0.18~5
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=f877359ebfc27bd0bc84ea6a8a7afab055ad377d;p=catagits%2FCatalyst-Plugin-Session-State-Cookie.git

add SameSite support
---

diff --git a/lib/Catalyst/Plugin/Session/State/Cookie.pm b/lib/Catalyst/Plugin/Session/State/Cookie.pm
index 2e7a2a1..c7bebf1 100644
--- a/lib/Catalyst/Plugin/Session/State/Cookie.pm
+++ b/lib/Catalyst/Plugin/Session/State/Cookie.pm
@@ -81,6 +81,10 @@ sub make_session_cookie {
     $cookie->{httponly} = 1
         unless defined $cookie->{httponly}; # default = 1 (set httponly)
 
+    $cookie->{samesite} = $cfg->{cookie_samesite};
+    $cookie->{samesite} = "Lax"
+        unless defined $cookie->{ samesite}; # default = Lax
+
     return $cookie;
 }
 
@@ -255,6 +259,26 @@ that this cookie works only over HTTP and not over HTTPS.
 
 Note2: This parameter requires Catalyst::Runtime 5.80005 otherwise is skipped.
 
+=item cookie_samesite
+
+This attribute configures the value of the
+L<SameSite|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite>
+flag.
+
+If set to None, the cookie will be sent when making cross origin requests,
+including following links from other origins. This requires the
+L</cookie_secure> flag to be set.
+
+If set to Lax, the cookie will not be included when embedded in or fetched from
+other origins, but will be included when following cross origin links.
+
+If set to Strict, the cookie will not be included for any cross origin requests,
+including links from different origins.
+
+Default value is C<Lax>. This is the default modern browsers use.
+
+Note: This parameter requires Catalyst::Runtime 5.90125 otherwise is skipped.
+
 =item cookie_path
 
 The path of the request url where cookie should be baked.
diff --git a/t/basic.t b/t/basic.t
index 60c33e4..6d96eef 100644
--- a/t/basic.t
+++ b/t/basic.t
@@ -78,7 +78,14 @@ $cxt->set_session_id($sessionid);
 ok( $cookies_called, "response cookie was set when sessionid changed" );
 is_deeply(
     \%res_cookies,
-    { session => { value => $sessionid, httponly => 1, expires => 123 } },
+    {
+        session => {
+            value => $sessionid,
+            httponly => 1,
+            expires => 123,
+            samesite => 'Lax',
+        },
+    },
     "cookie was set correctly"
 );