Request, HttpExtension: added sameSite protection (enabled by default)

Author: dg

src/Bridges/HttpDI/HttpExtension.php

@@ -28,6 +28,7 @@ class HttpExtension extends Nette\DI\CompilerExtension
 		'cspReportOnly' => [], // Content-Security-Policy-Report-Only
 		'featurePolicy' => [], // Feature-Policy
 		'cookieSecure' => 'auto', // true|false|auto  Whether the cookie is available only through HTTPS
+		'sameSiteProtection' => true, // activates Request::isSameSite() protection
 	];
 
 	/** @var bool */
@@ -127,6 +128,10 @@ public function afterCompile(Nette\PhpGenerator\ClassType $class)
 				$initialize->addBody('$this->getService(?)->setHeader(?, ?);', [$this->prefix('response'), $key, $value]);
 			}
 		}
+
+		if (!empty($config['sameSiteProtection'])) {
+			$initialize->addBody('$this->getService(?)->setCookie(...?);', [$this->prefix('response'), ['nette-samesite', '1', 0, '/', null, null, true, 'Strict']]);
+		}
 	}
 
 

src/Http/Request.php

@@ -227,6 +227,15 @@ public function isSecured(): bool
 	}
 
 
+	/**
+	 * Is the request sent from the same origin?
+	 */
+	public function isSameSite(): bool
+	{
+		return isset($this->cookies['nette-samesite']);
+	}
+
+
 	/**
 	 * Is AJAX request?
 	 */

tests/Http.DI/HttpExtension.sameSiteProtection.phpt

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+use Nette\Bridges\HttpDI\HttpExtension;
+use Nette\DI;
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+
+if (PHP_SAPI === 'cli') {
+	Tester\Environment::skip('Headers are not testable in CLI mode');
+}
+
+
+$compiler = new DI\Compiler;
+$compiler->addExtension('http', new HttpExtension);
+
+// protection is enabled by default
+eval($compiler->compile());
+
+$container = new Container;
+$container->initialize();
+
+$headers = headers_list();
+Assert::contains(
+	PHP_VERSION_ID >= 70300
+		? 'Set-Cookie: nette-samesite=1; path=/; HttpOnly; SameSite=Strict'
+		: 'Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly',
+	$headers
+);