Blame SOURCES/httpd-2.4.37-usertrack-samesite.patch

fb3f8d
diff --git a/docs/manual/mod/mod_usertrack.html.en b/docs/manual/mod/mod_usertrack.html.en
fb3f8d
index b212747..d2da9b9 100644
fb3f8d
--- a/docs/manual/mod/mod_usertrack.html.en
fb3f8d
+++ b/docs/manual/mod/mod_usertrack.html.en
fb3f8d
@@ -47,7 +47,10 @@
fb3f8d
 
    fb3f8d
     
  • CookieDomain
  • fb3f8d
     
  • CookieExpires
  • fb3f8d
    +
  • CookieHTTPOnly
  • fb3f8d
     
  • CookieName
  • fb3f8d
    +
  • CookieSameSite
  • fb3f8d
    +
  • CookieSecure
  • fb3f8d
     
  • CookieStyle
  • fb3f8d
     
  • CookieTracking
  • fb3f8d
     
    fb3f8d
    @@ -127,6 +130,22 @@ CustomLog "logs/clickstream.log" usertrack
    fb3f8d
         
    CookieExpires "3 weeks"
    fb3f8d
     
    fb3f8d
     
    fb3f8d
    +
    fb3f8d
    +
    top
    fb3f8d
    +
    fb3f8d
    +
    fb3f8d
    +Description:Adds the 'HTTPOnly' attribute to the cookie
    fb3f8d
    +Syntax:CookieHTTPOnly on|off
    fb3f8d
    +Default:CookieHTTPOnly off
    fb3f8d
    +Context:server config, virtual host, directory, .htaccess
    fb3f8d
    +Override:FileInfo
    fb3f8d
    +Status:Extension
    fb3f8d
    +Module:mod_usertrack
    fb3f8d
    +
    fb3f8d
    +    

    When set to 'ON', the 'HTTPOnly' cookie attribute is added to this

    fb3f8d
    +    modules tracking cookie. This attribute instructs browsers to block javascript
    fb3f8d
    +    from reading the value of the cookie.

    fb3f8d
    +
    fb3f8d
     
    fb3f8d
     
    top
    fb3f8d
     
    fb3f8d
    @@ -150,6 +169,45 @@ CustomLog "logs/clickstream.log" usertrack
    fb3f8d
         
    CookieName clicktrack
    fb3f8d
     
    fb3f8d
     
    fb3f8d
    +
    fb3f8d
    +
    top
    fb3f8d
    +
    fb3f8d
    +
    fb3f8d
    +Description:Adds the 'SameSite' attribute to the cookie
    fb3f8d
    +Syntax:CookieSameSite None|Lax|Strict
    fb3f8d
    +Default:unset
    fb3f8d
    +Context:server config, virtual host, directory, .htaccess
    fb3f8d
    +Override:FileInfo
    fb3f8d
    +Status:Extension
    fb3f8d
    +Module:mod_usertrack
    fb3f8d
    +
    fb3f8d
    +    

    When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute

    fb3f8d
    +    is added to this modules tracking cookie with the corresponding value.  
    fb3f8d
    +    This attribute instructs browser on how to treat the cookie when it is 
    fb3f8d
    +    requested in a cross-site context.

    fb3f8d
    +
    fb3f8d
    +     
    fb3f8d
    +        

    A value of 'None' sets 'SameSite=None', which is the most liberal setting. To

    fb3f8d
    +        omit this attribute, omit the directive entirely.

    fb3f8d
    +    
    fb3f8d
    +  
    fb3f8d
    +
    fb3f8d
    +
    fb3f8d
    +
    top
    fb3f8d
    +
    fb3f8d
    +
    fb3f8d
    +Description:Adds the 'Secure' attribute to the cookie
    fb3f8d
    +Syntax:CookieSecure on|off
    fb3f8d
    +Default:CookieSecure off
    fb3f8d
    +Context:server config, virtual host, directory, .htaccess
    fb3f8d
    +Override:FileInfo
    fb3f8d
    +Status:Extension
    fb3f8d
    +Module:mod_usertrack
    fb3f8d
    +
    fb3f8d
    +    

    When set to 'ON', the 'Secure' cookie attribute is added to this

    fb3f8d
    +    modules tracking cookie. This attribute instructs browsers to only
    fb3f8d
    +    transmit the cookie over HTTPS.

    fb3f8d
    +
    fb3f8d
     
    fb3f8d
     
    top
    fb3f8d
     
    fb3f8d
    diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c
    fb3f8d
    index 73a9f45..65759c2 100644
    fb3f8d
    --- a/modules/metadata/mod_usertrack.c
    fb3f8d
    +++ b/modules/metadata/mod_usertrack.c
    fb3f8d
    @@ -86,6 +86,9 @@ typedef struct {
    fb3f8d
         const char *cookie_domain;
    fb3f8d
         char *regexp_string;  /* used to compile regexp; save for debugging */
    fb3f8d
         ap_regex_t *regexp;  /* used to find usertrack cookie in cookie header */
    fb3f8d
    +    int is_secure;
    fb3f8d
    +    int is_httponly;
    fb3f8d
    +    const char *samesite;
    fb3f8d
     } cookie_dir_rec;
    fb3f8d
     
    fb3f8d
     /* Make Cookie: Now we have to generate something that is going to be
    fb3f8d
    @@ -143,6 +146,21 @@ static void make_cookie(request_rec *r)
    fb3f8d
                                       : ""),
    fb3f8d
                                      NULL);
    fb3f8d
         }
    fb3f8d
    +    if (dcfg->samesite != NULL) {
    fb3f8d
    +        new_cookie = apr_pstrcat(r->pool, new_cookie, "; ",
    fb3f8d
    +                                 dcfg->samesite,
    fb3f8d
    +                                 NULL);
    fb3f8d
    +    }
    fb3f8d
    +    if (dcfg->is_secure) {
    fb3f8d
    +        new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure",
    fb3f8d
    +                                 NULL);
    fb3f8d
    +    }
    fb3f8d
    +    if (dcfg->is_httponly) {
    fb3f8d
    +        new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly",
    fb3f8d
    +                                 NULL);
    fb3f8d
    +    }
    fb3f8d
    +
    fb3f8d
    +
    fb3f8d
     
    fb3f8d
         apr_table_addn(r->err_headers_out,
    fb3f8d
                        (dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"),
    fb3f8d
    @@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t *p, char *d)
    fb3f8d
         dcfg->cookie_domain = NULL;
    fb3f8d
         dcfg->style = CT_UNSET;
    fb3f8d
         dcfg->enabled = 0;
    fb3f8d
    +    /* calloc'ed to disabled: samesite, is_secure, is_httponly */
    fb3f8d
     
    fb3f8d
         /* In case the user does not use the CookieName directive,
    fb3f8d
          * we need to compile the regexp for the default cookie name. */
    fb3f8d
    @@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_parms *cmd, void *mconfig,
    fb3f8d
         return NULL;
    fb3f8d
     }
    fb3f8d
     
    fb3f8d
    +/* 
    fb3f8d
    + * SameSite enabled disabled 
    fb3f8d
    + */ 
    fb3f8d
    +
    fb3f8d
    +static const char *set_samesite_value(cmd_parms *cmd, void *mconfig,
    fb3f8d
    +                                    const char *name)
    fb3f8d
    +{
    fb3f8d
    +    cookie_dir_rec *dcfg;
    fb3f8d
    +
    fb3f8d
    +    dcfg = (cookie_dir_rec *) mconfig;
    fb3f8d
    +
    fb3f8d
    +    if (strcasecmp(name, "strict") == 0) {
    fb3f8d
    +        dcfg->samesite = "SameSite=Strict"; 
    fb3f8d
    +    } else if (strcasecmp(name, "lax") == 0) {
    fb3f8d
    +        dcfg->samesite = "SameSite=Lax"; 
    fb3f8d
    +    } else if (strcasecmp(name, "none") == 0) {
    fb3f8d
    +        dcfg->samesite = "SameSite=None"; 
    fb3f8d
    +    } else {
    fb3f8d
    +        return "CookieSameSite accepts 'Strict', 'Lax', or 'None'";
    fb3f8d
    +    }
    fb3f8d
    +
    fb3f8d
    +    
    fb3f8d
    +    return NULL;
    fb3f8d
    +}
    fb3f8d
    +
    fb3f8d
     static const command_rec cookie_log_cmds[] = {
    fb3f8d
         AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO,
    fb3f8d
                       "an expiry date code"),
    fb3f8d
    @@ -440,6 +484,17 @@ static const command_rec cookie_log_cmds[] = {
    fb3f8d
                      "whether or not to enable cookies"),
    fb3f8d
         AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO,
    fb3f8d
                       "name of the tracking cookie"),
    fb3f8d
    +                  AP_INIT_FLAG("CookieTracking", set_cookie_enable, NULL, OR_FILEINFO,
    fb3f8d
    +                 "whether or not to enable cookies"),
    fb3f8d
    +    AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO,
    fb3f8d
    +                  "SameSite setting"),
    fb3f8d
    +    AP_INIT_FLAG("CookieSecure", ap_set_flag_slot, 
    fb3f8d
    +                 (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO,
    fb3f8d
    +                 "is cookie secure"),
    fb3f8d
    +    AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot, 
    fb3f8d
    +                 (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO,
    fb3f8d
    +                 "is cookie http only"),
    fb3f8d
    +
    fb3f8d
         {NULL}
    fb3f8d
     };
    fb3f8d