You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2020/02/08 01:14:28 UTC
svn commit: r1873762 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_rewrite.xml docs/manual/rewrite/flags.xml
modules/mappers/mod_rewrite.c
Author: covener
Date: Sat Feb 8 01:14:28 2020
New Revision: 1873762
URL: http://svn.apache.org/viewvc?rev=1873762&view=rev
Log:
add SameSite to RewriteRule ... ... [CO]
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
httpd/httpd/trunk/docs/manual/rewrite/flags.xml
httpd/httpd/trunk/modules/mappers/mod_rewrite.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1873762&r1=1873761&r2=1873762&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Feb 8 01:14:28 2020
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
+ SameSite attribute. [Eric Covener]
+
*) Update DOCTYPE tags in server-generated HTML. PR62989.
[Andra Farkas <deepbluemistake gmail.com>, Giovanni Bechis <giovanni paclan.it>]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml?rev=1873762&r1=1873761&r2=1873762&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml Sat Feb 8 01:14:28 2020
@@ -1343,7 +1343,7 @@ cannot use <code>$N</code> in the substi
<tr>
<td>cookie|CO=<em>NAME</em>:<em>VAL</em></td>
<td>Sets a cookie in the client browser. Full syntax is:
- CO=<em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>]]]] <em><a href="../rewrite/flags.html#flag_co">details ...</a></em>
+ CO=<em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>[<em>samesite</em>]]]]] <em><a href="../rewrite/flags.html#flag_co">details ...</a></em>
</td>
</tr>
<tr>
Modified: httpd/httpd/trunk/docs/manual/rewrite/flags.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/rewrite/flags.xml?rev=1873762&r1=1873761&r2=1873762&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/rewrite/flags.xml (original)
+++ httpd/httpd/trunk/docs/manual/rewrite/flags.xml Sat Feb 8 01:14:28 2020
@@ -134,14 +134,14 @@ skipped.</p>
<section id="flag_co"><title>CO|cookie</title>
<p>The [CO], or [cookie] flag, allows you to set a cookie when a
particular <directive module="mod_rewrite">RewriteRule</directive>
-matches. The argument consists of three required fields and four optional
+matches. The argument consists of three required fields and five optional
fields.</p>
<p>The full syntax for the flag, including all attributes, is as
follows:</p>
<example>
-[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly]
+[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly:samesite]
</example>
<p>If a literal ':' character is needed in any of the cookie fields, an
@@ -150,7 +150,7 @@ alternate syntax is available. To opt-i
specified as ';'.</p>
<example>
-[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly]
+[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly;samesite]
</example>
<p>You must declare a name, a value, and a domain for the cookie to be set.</p>
@@ -191,6 +191,12 @@ connections.</dd>
which means that the cookie is inaccessible to JavaScript code on
browsers that support this feature.</dd>
</dl>
+<dt>samesite</dt>
+<dd>If set to anything other than <code>0</code>, the <code>SameSite</code>
+attribute is set to the specified value. Typical values are <code>None</code>,
+<code>Lax</code>, and <code>Strict</code>.Available in 2.5.1 and later.</dd>
+</dl>
+
<p>Consider this example:</p>
Modified: httpd/httpd/trunk/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?rev=1873762&r1=1873761&r2=1873762&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/mappers/mod_rewrite.c (original)
+++ httpd/httpd/trunk/modules/mappers/mod_rewrite.c Sat Feb 8 01:14:28 2020
@@ -2581,6 +2581,7 @@ static void add_cookie(request_rec *r, c
char *path;
char *secure;
char *httponly;
+ char *samesite;
char *tok_cntx;
char *cookie;
@@ -2615,6 +2616,7 @@ static void add_cookie(request_rec *r, c
path = expires ? apr_strtok(NULL, sep, &tok_cntx) : NULL;
secure = path ? apr_strtok(NULL, sep, &tok_cntx) : NULL;
httponly = secure ? apr_strtok(NULL, sep, &tok_cntx) : NULL;
+ samesite = httponly ? apr_strtok(NULL, sep, &tok_cntx) : NULL;
if (expires) {
apr_time_exp_t tms;
@@ -2654,6 +2656,11 @@ static void add_cookie(request_rec *r, c
"; HttpOnly" : NULL,
NULL);
+ if (samesite && !strcasecmp(samesite, "0")) {
+ cookie = apr_pstrcat(rmain->pool, cookie, "; SameSite=",
+ samesite, NULL);
+ }
+
apr_table_addn(rmain->err_headers_out, "Set-Cookie", cookie);
apr_pool_userdata_set("set", notename, NULL, rmain->pool);
rewritelog(rmain, 5, NULL, "setting cookie '%s'", cookie);
Re: svn commit: r1873762 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_rewrite.xml docs/manual/rewrite/flags.xml modules/mappers/mod_rewrite.c
Posted by Eric Covener <co...@gmail.com>.
On Wed, Aug 26, 2020 at 4:16 AM Ruediger Pluem <rp...@apache.org> wrote:
>
>
>
> On 2/8/20 2:14 AM, covener@apache.org wrote:
> > Author: covener
> > Date: Sat Feb 8 01:14:28 2020
> > New Revision: 1873762
> >
> > URL: http://svn.apache.org/viewvc?rev=1873762&view=rev
> > Log:
> > add SameSite to RewriteRule ... ... [CO]
> >
> >
> > Modified:
> > httpd/httpd/trunk/CHANGES
> > httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> > httpd/httpd/trunk/docs/manual/rewrite/flags.xml
> > httpd/httpd/trunk/modules/mappers/mod_rewrite.c
> >
>
> > Modified: httpd/httpd/trunk/modules/mappers/mod_rewrite.c
> > URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?rev=1873762&r1=1873761&r2=1873762&view=diff
> > ==============================================================================
> > --- httpd/httpd/trunk/modules/mappers/mod_rewrite.c (original)
> > +++ httpd/httpd/trunk/modules/mappers/mod_rewrite.c Sat Feb 8 01:14:28 2020
>
> > @@ -2654,6 +2656,11 @@ static void add_cookie(request_rec *r, c
> > "; HttpOnly" : NULL,
> > NULL);
> >
> > + if (samesite && !strcasecmp(samesite, "0")) {
>
> Doesn't it need to be strcmp(samesite, "0") instead of !strcasecmp(samesite, "0") ?
> I mean the above will set samesite to '0' in the cookie if samesite is '0'.
Yep, I see what you mean.
>
> > + cookie = apr_pstrcat(rmain->pool, cookie, "; SameSite=",
> > + samesite, NULL);
> > + }
> > +
>
> Any particular reason why we don't accept 'false' in a case insensitive way along with 0 as the flag
> not being set? This would be inline with the other flags.
It is certainly weird but I have no memory of it. Added "false" w/
a test in 1881263/1881264
Thanks!
>
> I think the second apr_pstrcat can waste some memory as we nearly need the memory for the cookie twice in case samesite is set.
> Is it worth converting both apr_pstrcat sections to fill an iovec struct and doing one apr_pstrcatv afterwards?
>
> Regards
>
> RĂ¼diger
--
Eric Covener
covener@gmail.com
Re: svn commit: r1873762 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_rewrite.xml docs/manual/rewrite/flags.xml
modules/mappers/mod_rewrite.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 2/8/20 2:14 AM, covener@apache.org wrote:
> Author: covener
> Date: Sat Feb 8 01:14:28 2020
> New Revision: 1873762
>
> URL: http://svn.apache.org/viewvc?rev=1873762&view=rev
> Log:
> add SameSite to RewriteRule ... ... [CO]
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> httpd/httpd/trunk/docs/manual/rewrite/flags.xml
> httpd/httpd/trunk/modules/mappers/mod_rewrite.c
>
> Modified: httpd/httpd/trunk/modules/mappers/mod_rewrite.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?rev=1873762&r1=1873761&r2=1873762&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/mappers/mod_rewrite.c (original)
> +++ httpd/httpd/trunk/modules/mappers/mod_rewrite.c Sat Feb 8 01:14:28 2020
> @@ -2654,6 +2656,11 @@ static void add_cookie(request_rec *r, c
> "; HttpOnly" : NULL,
> NULL);
>
> + if (samesite && !strcasecmp(samesite, "0")) {
Doesn't it need to be strcmp(samesite, "0") instead of !strcasecmp(samesite, "0") ?
I mean the above will set samesite to '0' in the cookie if samesite is '0'.
> + cookie = apr_pstrcat(rmain->pool, cookie, "; SameSite=",
> + samesite, NULL);
> + }
> +
Any particular reason why we don't accept 'false' in a case insensitive way along with 0 as the flag
not being set? This would be inline with the other flags.
I think the second apr_pstrcat can waste some memory as we nearly need the memory for the cookie twice in case samesite is set.
Is it worth converting both apr_pstrcat sections to fill an iovec struct and doing one apr_pstrcatv afterwards?
Regards
RĂ¼diger