diff options
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | docs/manual/mod/mod_rewrite.xml | 2 | ||||
| -rw-r--r-- | docs/manual/rewrite/flags.xml | 12 | ||||
| -rw-r--r-- | modules/mappers/mod_rewrite.c | 7 |
4 files changed, 20 insertions, 4 deletions
@@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a + SameSite attribute. [Eric Covener] + *) Update DOCTYPE tags in server-generated HTML. PR62989. [Andra Farkas <deepbluemistake gmail.com>, Giovanni Bechis <giovanni paclan.it>] diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml index 7e9963f58a..961c7c313f 100644 --- a/docs/manual/mod/mod_rewrite.xml +++ b/docs/manual/mod/mod_rewrite.xml @@ -1343,7 +1343,7 @@ cannot use <code>$N</code> in the substitution string! <tr> <td>cookie|CO=<em>NAME</em>:<em>VAL</em></td> <td>Sets a cookie in the client browser. Full syntax is: - CO=<em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>]]]] <em><a href="../rewrite/flags.html#flag_co">details ...</a></em> + CO=<em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>[<em>samesite</em>]]]]] <em><a href="../rewrite/flags.html#flag_co">details ...</a></em> </td> </tr> <tr> diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml index cd9fe971ca..67bf9cf99d 100644 --- a/docs/manual/rewrite/flags.xml +++ b/docs/manual/rewrite/flags.xml @@ -134,14 +134,14 @@ skipped.</p> <section id="flag_co"><title>CO|cookie</title> <p>The [CO], or [cookie] flag, allows you to set a cookie when a particular <directive module="mod_rewrite">RewriteRule</directive> -matches. The argument consists of three required fields and four optional +matches. The argument consists of three required fields and five optional fields.</p> <p>The full syntax for the flag, including all attributes, is as follows:</p> <example> -[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly] +[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly:samesite] </example> <p>If a literal ':' character is needed in any of the cookie fields, an @@ -150,7 +150,7 @@ alternate syntax is available. To opt-in to the alternate syntax, the cookie specified as ';'.</p> <example> -[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly] +[CO=;NAME;VALUE:MOREVALUE;DOMAIN;lifetime;path;secure;httponly;samesite] </example> <p>You must declare a name, a value, and a domain for the cookie to be set.</p> @@ -191,6 +191,12 @@ connections.</dd> which means that the cookie is inaccessible to JavaScript code on browsers that support this feature.</dd> </dl> +<dt>samesite</dt> +<dd>If set to anything other than <code>0</code>, the <code>SameSite</code> +attribute is set to the specified value. Typical values are <code>None</code>, +<code>Lax</code>, and <code>Strict</code>.Available in 2.5.1 and later.</dd> +</dl> + <p>Consider this example:</p> diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index ad90d60dcf..f35752b0e1 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -2581,6 +2581,7 @@ static void add_cookie(request_rec *r, char *s) char *path; char *secure; char *httponly; + char *samesite; char *tok_cntx; char *cookie; @@ -2615,6 +2616,7 @@ static void add_cookie(request_rec *r, char *s) path = expires ? apr_strtok(NULL, sep, &tok_cntx) : NULL; secure = path ? apr_strtok(NULL, sep, &tok_cntx) : NULL; httponly = secure ? apr_strtok(NULL, sep, &tok_cntx) : NULL; + samesite = httponly ? apr_strtok(NULL, sep, &tok_cntx) : NULL; if (expires) { apr_time_exp_t tms; @@ -2654,6 +2656,11 @@ static void add_cookie(request_rec *r, char *s) "; HttpOnly" : NULL, NULL); + if (samesite && !strcasecmp(samesite, "0")) { + cookie = apr_pstrcat(rmain->pool, cookie, "; SameSite=", + samesite, NULL); + } + apr_table_addn(rmain->err_headers_out, "Set-Cookie", cookie); apr_pool_userdata_set("set", notename, NULL, rmain->pool); rewritelog(rmain, 5, NULL, "setting cookie '%s'", cookie); |