HttpExtension: added option sameSiteProtection and Request::isSameSite()

Author: dg

src/Bridges/HttpDI/HttpExtension.php

@@ -28,6 +28,7 @@ class HttpExtension extends Nette\DI\CompilerExtension
 		'cspReportOnly' => [], // Content-Security-Policy-Report-Only
 		'featurePolicy' => [], // Feature-Policy
 		'secureCookie' => 'auto', // true|false|auto  Whether the cookie is available only through HTTPS
+		'sameSiteProtection' => null, // activate Response::isSameSite() protection
 	];
 
 	/** @var bool */
@@ -84,6 +85,15 @@ public function loadConfiguration()
 	}
 
 
+	public function beforeCompile()
+	{
+		if (!empty($this->config['sameSiteProtection'])) {
+			$this->getContainerBuilder()->getDefinitionByType(Nette\Http\Session::class)
+				->addSetup('setOptions', [['cookie_samesite' => 'Lax']]);
+		}
+	}
+
+
 	public function afterCompile(Nette\PhpGenerator\ClassType $class)
 	{
 		if ($this->cliMode) {
@@ -127,6 +137,10 @@ public function afterCompile(Nette\PhpGenerator\ClassType $class)
 				$initialize->addBody('$this->getService(?)->setHeader(?, ?);', [$this->prefix('response'), $key, $value]);
 			}
 		}
+
+		if (!empty($config['sameSiteProtection'])) {
+			$initialize->addBody('$this->getService(?)->setCookie(...?);', [$this->prefix('response'), ['nette-samesite', '1', 0, null, null, null, true, 'Strict']]);
+		}
 	}
 
 

src/Http/Request.php

@@ -227,6 +227,15 @@ public function isSecured(): bool
 	}
 
 
+	/**
+	 * Is the request sent from the same origin?
+	 */
+	public function isSameSite(): bool
+	{
+		return !empty($this->cookies['nette-samesite']);
+	}
+
+
 	/**
 	 * Is AJAX request?
 	 */

tests/Http.DI/HttpExtension.sameSiteProtection.phpt

@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+use Nette\Bridges\HttpDI\HttpExtension;
+use Nette\Bridges\HttpDI\SessionExtension;
+use Nette\DI;
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+
+if (PHP_SAPI === 'cli') {
+	Tester\Environment::skip('Headers are not testable in CLI mode');
+}
+
+
+$compiler = new DI\Compiler;
+$compiler->addExtension('http', new HttpExtension);
+$compiler->addExtension('session', new SessionExtension(false, PHP_SAPI === 'cli'));
+
+$loader = new DI\Config\Loader;
+$config = $loader->load(Tester\FileMock::create('
+http:
+	sameSiteProtection: yes
+', 'neon'));
+
+eval($compiler->addConfig($config)->compile());
+
+$container = new Container;
+$container->initialize();
+
+$headers = headers_list();
+Assert::contains(
+	PHP_VERSION_ID >= 70300
+		? 'Set-Cookie: nette-samesite=1; path=/; HttpOnly; SameSite=Strict'
+		: 'Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly',
+	$headers
+);
+Assert::same('Lax', $container->getService('session.session')->getOptions()['cookie_samesite']);