Skip to content

Add support for Partitioned Cookies #53224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
blowdart opened this issue Jan 8, 2024 · 10 comments
Open
1 task done

Add support for Partitioned Cookies #53224

blowdart opened this issue Jan 8, 2024 · 10 comments
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Milestone
.NET 10 Planning

Comments

@blowdart
Copy link
Contributor

blowdart commented Jan 8, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

CookieBuilder should support the new Partitioned property from the CHIPS (Cookies Having Independent Partitioned State) spec. to avoid users having to fall back to the extensions property.

Both Chrome and Safari have indicated their support.

Describe the solution you'd like

A true or false property on CookieBuilder much like SameSite has today.

If the Paritioned property is set to true the cookie should be emitted with Partitioned;

Set-Cookie: Beans=baked; SameSite=None; Secure; HttpOnly; Path=/; Partitioned;

The Partioned attribute can only be used with a Secure attribute, and the spec says browsers MUST reject a partitioned cookie if Secure is not present, so the builder could throw an exception on build.

A cookie that does not have SameSite=None but is partitioned really isn't partitioned at all, it's not going to be seen by third parties, but in that case the spec says Browsers MAY, so a debug message may be useful in that circumstance to help users track down that mistake.

Additional context

No response
@ghost ghost added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Jan 8, 2024
@adityamandaleeka adityamandaleeka added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically labels Jan 8, 2024
@adityamandaleeka adityamandaleeka added this to the .NET 9 Planning milestone Jan 9, 2024
@ghost
Copy link

ghost commented Jan 9, 2024

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

@amcasey amcasey self-assigned this Jan 17, 2024
@Ajay100000
Copy link

Ajay100000 commented Jan 23, 2024
edited
Loading

My company uses azure and we use partition cookies for our httponly cookies. However Azure is a problem as shown in the attached screenshot.

The Azure cookies need to be partitioned please.

Azure_cookie_issue

@amcasey amcasey modified the milestones: .NET 9 Planning, 9.0.0 Jan 27, 2024
@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@wtgodbe wtgodbe removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@kimsey0
Copy link
Contributor

kimsey0 commented Feb 8, 2024

If Partitioned is added to CookieBuilder and CookieOptions, it would also be nice to have it added to CookiePolicyOptions so it can be set automatically by the CookiePolicyMiddleware (UseCookiePolicy).

@wtgodbe wtgodbe removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 13, 2024
@blowdart blowdart mentioned this issue Apr 24, 2024
Open
@blowdart
Copy link
Contributor Author

@Ajay100000 Those cookies are not set by ASP.NET they are set by Azure Websites. We cannot change those. You should open a ticket for your Azure subscription asking for that feature.

@amcasey
Copy link
Member

amcasey commented Apr 25, 2024
edited
Loading

AFAICT, CookieBuilder, CookieOptions, and SetCookieHeaderValue cheerfully accept any combination of settings without complaint. The validation I can find for SameSite is in ResponseCookies and logs a warning.

@amcasey amcasey mentioned this issue Apr 25, 2024
Open
amcasey added a commit to amcasey/aspnetcore that referenced this issue Apr 25, 2024
@amcasey
Add support for the Partitioned cookie attribute
985f204 
...to support CHIPS (Cookies Having Independent Partitioned State).

Fixes dotnet#53224
Fixes dotnet#55370
@amcasey amcasey mentioned this issue Apr 25, 2024
Closed
@halter73
Copy link
Member

@blowdart Has Firefox announced that it's going to support this? Given the simplicity of the Extensions workaround, and the fact that this is only supported by chromium-based browsers, and that the spec is only in expired draft currently, it's really tempting to hold off on adding this. We're just talking about being able to do this:

options.Cookie.Partitioned = true;

vs.

options.Cookie.Extensions.Add("partitioned");

What are we rushing here for? If nothing changes like we hope, options.Cookie.Extensions.Add("partitioned") will continue to work indefinitely.

@amcasey
Copy link
Member

amcasey commented Apr 26, 2024

On MDN they seem to contrast it with their own related experiment and indicated that it's not (yet?) supported.

@amcasey
Copy link
Member

amcasey commented Apr 26, 2024

@blowdart Has Firefox announced that it's going to support this? Given the simplicity of the Extensions workaround, and the fact that this is only supported by chromium-based browsers, and that the spec is only in expired draft currently, it's really tempting to hold off on adding this. We're just talking about being able to do this:

options.Cookie.Partitioned = true;

vs.

options.Cookie.Extensions.Add("partitioned");

What are we rushing here for? If nothing changes like we hope, options.Cookie.Extensions.Add("partitioned") will continue to work indefinitely.

It seems like all you're losing with the Extensions approach is a warning log if you use it incorrectly?

@amcasey
Copy link
Member

amcasey commented Apr 26, 2024

In the event that we add support to aspnetcore before it's standardized, it feels like we'd still rather hold off on updating Katana until things are set in stone?

amcasey added a commit to amcasey/aspnetcore that referenced this issue Jul 11, 2024
@amcasey
Add support for the Partitioned cookie attribute
b717636 
...to support CHIPS (Cookies Having Independent Partitioned State).

Fixes dotnet#53224
Fixes dotnet#55370
@amcasey
Copy link
Member

amcasey commented Jul 15, 2024

#55371 is a viable fix with an approved API, but we're reluctant to lock in the name before the feature is standardized.

@amcasey amcasey modified the milestones: 9.0.0, .NET 10 Planning Jul 15, 2024
@amcasey amcasey removed their assignment Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
.NET 10 Planning
Development

Successfully merging a pull request may close this issue.

Add support for the Partitioned cookie attribute amcasey/aspnetcore
7 participants
@halter73 @adityamandaleeka @blowdart @kimsey0 @amcasey @wtgodbe @Ajay100000