From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001

From: Anthony Critelli <acritelli@datto.com>

Date: Tue, 7 Jan 2020 11:14:24 -0500

Subject: [PATCH] Add none option for samesite

---

 README.md                 | 7 +++++--

 auth_mellon.h             | 3 ++-

 auth_mellon_config.c      | 2 ++

 auth_mellon_cookie.c      | 4 +++-

 auth_mellon_diagnostics.c | 1 +

 5 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md

index be374bc..82a88fc 100644

--- a/README.md

+++ b/README.md

@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off

         # MellonCookieSameSite allows control over the SameSite value used

         # for the authentication cookie.

-        # The setting accepts values of "Strict" or "Lax"

-        # If not set, the SameSite attribute is not set on the cookie.

+        # The setting accepts values of "Strict", "Lax", or "None".

+        # When using none, you should set "MellonSecureCookie On" to prevent

+        # compatibility issues with newer browsers.

+        # If not set, the SameSite attribute is not set on the cookie. In newer

+        # browsers, this may cause SameSite to default to "Lax"

         # Default: not set

         # MellonCookieSameSite lax

diff --git a/auth_mellon.h b/auth_mellon.h

index 9ef2d8a..5f5a20b 100644

--- a/auth_mellon.h

+++ b/auth_mellon.h

@@ -164,7 +164,8 @@ typedef enum {

 typedef enum {

   am_samesite_default,

   am_samesite_lax,

-  am_samesite_strict

+  am_samesite_strict,

+  am_samesite_none,

 } am_samesite_t;

 typedef enum {

diff --git a/auth_mellon_config.c b/auth_mellon_config.c

index 7932e2d..f1a9d12 100644

--- a/auth_mellon_config.c

+++ b/auth_mellon_config.c

@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd,

         d->cookie_samesite = am_samesite_lax;

     } else if(!strcasecmp(arg, "strict")) {

         d->cookie_samesite = am_samesite_strict;

+    } else if(!strcasecmp(arg, "none")) {

+        d->cookie_samesite = am_samesite_none;

     } else {

         return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";

     }

diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c

index 8394c18..b2c8535 100644

--- a/auth_mellon_cookie.c

+++ b/auth_mellon_cookie.c

@@ -1,7 +1,7 @@

 /*

  *

  *   auth_mellon_cookie.c: an authentication apache module

- *   Copyright © 2003-2007 UNINETT (http://www.uninett.no/)

+ *   Copyright © 2003-2007 UNINETT (http://www.uninett.no/)

  *

  *   This program is free software; you can redistribute it and/or modify

  *   it under the terms of the GNU General Public License as published by

@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r)

         cookie_samesite = "; SameSite=Lax";

     } else if (cfg->cookie_samesite == am_samesite_strict) {

         cookie_samesite = "; SameSite=Strict";

+    } else if (cfg->cookie_samesite == am_samesite_none) {

+        cookie_samesite = "; SameSite=None";

     }

     secure_cookie = cfg->secure;

diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c

index 792e894..912814b 100644

--- a/auth_mellon_diagnostics.c

+++ b/auth_mellon_diagnostics.c

@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite)

     case am_samesite_default: return "default";

     case am_samesite_lax:     return "lax";

     case am_samesite_strict:  return "strict";

+    case am_samesite_none:    return "none";

     default:

         return apr_psprintf(r->pool, "unknown (%d)", samesite);

     }

-- 

2.21.0