Blame SOURCES/httpd-2.4.37-usertrack-samesite.patch

295152
diff --git a/docs/manual/mod/mod_usertrack.html.en b/docs/manual/mod/mod_usertrack.html.en
295152
index b212747..d2da9b9 100644
295152
--- a/docs/manual/mod/mod_usertrack.html.en
295152
+++ b/docs/manual/mod/mod_usertrack.html.en
295152
@@ -47,7 +47,10 @@
295152
 
    295152
     
  • CookieDomain
  • 295152
     
  • CookieExpires
  • 295152
    +
  • CookieHTTPOnly
  • 295152
     
  • CookieName
  • 295152
    +
  • CookieSameSite
  • 295152
    +
  • CookieSecure
  • 295152
     
  • CookieStyle
  • 295152
     
  • CookieTracking
  • 295152
     
    295152
    @@ -127,6 +130,22 @@ CustomLog "logs/clickstream.log" usertrack
    295152
         
    CookieExpires "3 weeks"
    295152
     
    295152
     
    295152
    +
    295152
    +
    top
    295152
    +
    295152
    +
    295152
    +Description:Adds the 'HTTPOnly' attribute to the cookie
    295152
    +Syntax:CookieHTTPOnly on|off
    295152
    +Default:CookieHTTPOnly off
    295152
    +Context:server config, virtual host, directory, .htaccess
    295152
    +Override:FileInfo
    295152
    +Status:Extension
    295152
    +Module:mod_usertrack
    295152
    +
    295152
    +    

    When set to 'ON', the 'HTTPOnly' cookie attribute is added to this

    295152
    +    modules tracking cookie. This attribute instructs browsers to block javascript
    295152
    +    from reading the value of the cookie.

    295152
    +
    295152
     
    295152
     
    top
    295152
     
    295152
    @@ -150,6 +169,45 @@ CustomLog "logs/clickstream.log" usertrack
    295152
         
    CookieName clicktrack
    295152
     
    295152
     
    295152
    +
    295152
    +
    top
    295152
    +
    295152
    +
    295152
    +Description:Adds the 'SameSite' attribute to the cookie
    295152
    +Syntax:CookieSameSite None|Lax|Strict
    295152
    +Default:unset
    295152
    +Context:server config, virtual host, directory, .htaccess
    295152
    +Override:FileInfo
    295152
    +Status:Extension
    295152
    +Module:mod_usertrack
    295152
    +
    295152
    +    

    When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute

    295152
    +    is added to this modules tracking cookie with the corresponding value.  
    295152
    +    This attribute instructs browser on how to treat the cookie when it is 
    295152
    +    requested in a cross-site context.

    295152
    +
    295152
    +     
    295152
    +        

    A value of 'None' sets 'SameSite=None', which is the most liberal setting. To

    295152
    +        omit this attribute, omit the directive entirely.

    295152
    +    
    295152
    +  
    295152
    +
    295152
    +
    295152
    +
    top
    295152
    +
    295152
    +
    295152
    +Description:Adds the 'Secure' attribute to the cookie
    295152
    +Syntax:CookieSecure on|off
    295152
    +Default:CookieSecure off
    295152
    +Context:server config, virtual host, directory, .htaccess
    295152
    +Override:FileInfo
    295152
    +Status:Extension
    295152
    +Module:mod_usertrack
    295152
    +
    295152
    +    

    When set to 'ON', the 'Secure' cookie attribute is added to this

    295152
    +    modules tracking cookie. This attribute instructs browsers to only
    295152
    +    transmit the cookie over HTTPS.

    295152
    +
    295152
     
    295152
     
    top
    295152
     
    295152
    diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c
    295152
    index 73a9f45..65759c2 100644
    295152
    --- a/modules/metadata/mod_usertrack.c
    295152
    +++ b/modules/metadata/mod_usertrack.c
    295152
    @@ -86,6 +86,9 @@ typedef struct {
    295152
         const char *cookie_domain;
    295152
         char *regexp_string;  /* used to compile regexp; save for debugging */
    295152
         ap_regex_t *regexp;  /* used to find usertrack cookie in cookie header */
    295152
    +    int is_secure;
    295152
    +    int is_httponly;
    295152
    +    const char *samesite;
    295152
     } cookie_dir_rec;
    295152
     
    295152
     /* Make Cookie: Now we have to generate something that is going to be
    295152
    @@ -143,6 +146,21 @@ static void make_cookie(request_rec *r)
    295152
                                       : ""),
    295152
                                      NULL);
    295152
         }
    295152
    +    if (dcfg->samesite != NULL) {
    295152
    +        new_cookie = apr_pstrcat(r->pool, new_cookie, "; ",
    295152
    +                                 dcfg->samesite,
    295152
    +                                 NULL);
    295152
    +    }
    295152
    +    if (dcfg->is_secure) {
    295152
    +        new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure",
    295152
    +                                 NULL);
    295152
    +    }
    295152
    +    if (dcfg->is_httponly) {
    295152
    +        new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly",
    295152
    +                                 NULL);
    295152
    +    }
    295152
    +
    295152
    +
    295152
     
    295152
         apr_table_addn(r->err_headers_out,
    295152
                        (dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"),
    295152
    @@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t *p, char *d)
    295152
         dcfg->cookie_domain = NULL;
    295152
         dcfg->style = CT_UNSET;
    295152
         dcfg->enabled = 0;
    295152
    +    /* calloc'ed to disabled: samesite, is_secure, is_httponly */
    295152
     
    295152
         /* In case the user does not use the CookieName directive,
    295152
          * we need to compile the regexp for the default cookie name. */
    295152
    @@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_parms *cmd, void *mconfig,
    295152
         return NULL;
    295152
     }
    295152
     
    295152
    +/* 
    295152
    + * SameSite enabled disabled 
    295152
    + */ 
    295152
    +
    295152
    +static const char *set_samesite_value(cmd_parms *cmd, void *mconfig,
    295152
    +                                    const char *name)
    295152
    +{
    295152
    +    cookie_dir_rec *dcfg;
    295152
    +
    295152
    +    dcfg = (cookie_dir_rec *) mconfig;
    295152
    +
    295152
    +    if (strcasecmp(name, "strict") == 0) {
    295152
    +        dcfg->samesite = "SameSite=Strict"; 
    295152
    +    } else if (strcasecmp(name, "lax") == 0) {
    295152
    +        dcfg->samesite = "SameSite=Lax"; 
    295152
    +    } else if (strcasecmp(name, "none") == 0) {
    295152
    +        dcfg->samesite = "SameSite=None"; 
    295152
    +    } else {
    295152
    +        return "CookieSameSite accepts 'Strict', 'Lax', or 'None'";
    295152
    +    }
    295152
    +
    295152
    +    
    295152
    +    return NULL;
    295152
    +}
    295152
    +
    295152
     static const command_rec cookie_log_cmds[] = {
    295152
         AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO,
    295152
                       "an expiry date code"),
    295152
    @@ -440,6 +484,17 @@ static const command_rec cookie_log_cmds[] = {
    295152
                      "whether or not to enable cookies"),
    295152
         AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO,
    295152
                       "name of the tracking cookie"),
    295152
    +                  AP_INIT_FLAG("CookieTracking", set_cookie_enable, NULL, OR_FILEINFO,
    295152
    +                 "whether or not to enable cookies"),
    295152
    +    AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO,
    295152
    +                  "SameSite setting"),
    295152
    +    AP_INIT_FLAG("CookieSecure", ap_set_flag_slot, 
    295152
    +                 (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO,
    295152
    +                 "is cookie secure"),
    295152
    +    AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot, 
    295152
    +                 (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO,
    295152
    +                 "is cookie http only"),
    295152
    +
    295152
         {NULL}
    295152
     };
    295152