removed samesite check using cookie (BC break)

dg · dg · commit 31c09f2a45e1 · 2026-06-03T08:30:54.000+02:00
diff --git a/src/Bridges/HttpDI/HttpExtension.php b/src/Bridges/HttpDI/HttpExtension.php
@@ -53,7 +53,7 @@ public function getConfigSchema(): Nette\Schema\Schema
 			'cookiePath' => Expect::string()->dynamic(),
 			'cookieDomain' => Expect::string()->dynamic(),
 			'cookieSecure' => Expect::anyOf('auto', null, true, false)->firstIsDefault()->dynamic(), // Whether the cookie is available only through HTTPS
-			'disableNetteCookie' => Expect::bool(false), // disables cookie use by Nette
+			'disableNetteCookie' => Expect::bool(false)->deprecated(),
 		]);
 	}
 
@@ -150,13 +150,6 @@ private function sendHeaders(): void
 				$this->initialization->addBody('$response->setHeader(?, ?);', [$key, $value]);
 			}
 		}
-
-		if (!$config->disableNetteCookie) {
-			$this->initialization->addBody(
-				'Nette\Http\Helpers::initCookie($this->getService(?), $response);',
-				[$this->prefix('request')],
-			);
-		}
 	}
 
 
diff --git a/src/Http/Helpers.php b/src/Http/Helpers.php
@@ -19,9 +19,6 @@ final class Helpers
 {
 	use Nette\StaticClass;
 
-	/** @internal */
-	public const StrictCookieName = '_nss';
-
 
 	/**
 	 * Formats a date and time in the HTTP date format (RFC 7231), e.g. 'Mon, 23 Jan 1978 10:00:00 GMT'.
@@ -107,16 +104,4 @@ public static function ipMatch(string $ip, string $mask): bool
 	{
 		return IPAddress::tryFrom($ip)?->isInRange($mask) ?? false;
 	}
-
-
-	/**
-	 * Sends the SameSite=Strict cookie used as a fallback for detecting same-site requests
-	 * in browsers that don't support the Sec-Fetch-Site header (Safari < 16.4).
-	 */
-	public static function initCookie(IRequest $request, IResponse $response): void
-	{
-		if ($request->getHeader('Sec-Fetch-Site') === null) {
-			$response->setCookie(self::StrictCookieName, '1', null, '/', sameSite: SameSite::Strict);
-		}
-	}
 }
diff --git a/src/Http/Request.php b/src/Http/Request.php
@@ -8,7 +8,7 @@
 namespace Nette\Http;
 
 use Nette;
-use function array_change_key_case, array_filter, base64_decode, count, explode, func_num_args, in_array, is_array, preg_match, strcasecmp, strlen, strtr;
+use function array_change_key_case, base64_decode, count, explode, func_num_args, in_array, is_array, preg_match, strcasecmp, strlen, strtr;
 
 
 /**
@@ -242,7 +242,6 @@ public function isSameSite(): bool
 
 	/**
 	 * Checks whether the request matches the given Sec-Fetch-Site, Sec-Fetch-Dest and Sec-Fetch-User values.
-	 * Falls back to the SameSite=Strict cookie in browsers without Sec-Fetch (Safari < 16.4)
 	 * @param  FetchSite|list<FetchSite>  $site
 	 * @param  FetchDest|list<FetchDest>|null  $dest
 	 */
@@ -252,20 +251,12 @@ public function isFrom(
 		?bool $user = null,
 	): bool
 	{
-		$siteHeader = $this->headers['sec-fetch-site'] ?? null;
+		$actualSite = FetchSite::tryFrom($this->headers['sec-fetch-site'] ?? '');
 		$actualDest = FetchDest::tryFrom($this->headers['sec-fetch-dest'] ?? '');
 		$actualUser = ($this->headers['sec-fetch-user'] ?? null) === '?1';
 		$site = is_array($site) ? $site : [$site];
 		$dest = $dest === null || is_array($dest) ? $dest : [$dest];
 
-		if ($siteHeader === null) { // fallback for browsers without Sec-Fetch (Safari < 16.4)
-			return $dest === null
-				&& $user === null
-				&& isset($this->cookies[Helpers::StrictCookieName])
-				&& array_filter($site, fn(FetchSite $s) => $s !== FetchSite::CrossSite) !== [];
-		}
-
-		$actualSite = FetchSite::tryFrom($siteHeader);
 		return $actualSite !== null
 			&& in_array($actualSite, $site, strict: true)
 			&& ($dest === null || ($actualDest !== null && in_array($actualDest, $dest, strict: true)))
diff --git a/tests/Http.DI/HttpExtension.sameSiteProtection.disabled.phpt b/tests/Http.DI/HttpExtension.sameSiteProtection.disabled.phpt
diff --git a/tests/Http.DI/HttpExtension.sameSiteProtection.phpt b/tests/Http.DI/HttpExtension.sameSiteProtection.phpt
diff --git a/tests/Http/Request.isFrom.phpt b/tests/Http/Request.isFrom.phpt
@@ -80,46 +80,9 @@ test('unknown header value matches nothing', function () {
 });
 
 
-test('no header, no cookie returns false', function () {
+test('no Sec-Fetch-Site returns false', function () {
 	$request = new Http\Request(new Http\UrlScript);
 
 	Assert::false($request->isFrom(FetchSite::SameOrigin));
 	Assert::false($request->isFrom(FetchSite::CrossSite));
 });
-
-
-test('cookie fallback proves only "not cross-site"', function () {
-	$request = new Http\Request(new Http\UrlScript, cookies: [
-		Http\Helpers::StrictCookieName => '1',
-	]);
-
-	Assert::true($request->isFrom(FetchSite::SameOrigin));
-	Assert::true($request->isFrom(FetchSite::SameSite));
-	Assert::true($request->isFrom(FetchSite::None));
-	Assert::true($request->isFrom([FetchSite::SameOrigin, FetchSite::CrossSite]));
-	Assert::false($request->isFrom(FetchSite::CrossSite));
-});
-
-
-test('cookie fallback fails closed for dest & user', function () {
-	$request = new Http\Request(new Http\UrlScript, cookies: [
-		Http\Helpers::StrictCookieName => '1',
-	]);
-
-	// dest/user can't be proven by the cookie alone, so a stricter check must not pass
-	Assert::false($request->isFrom(FetchSite::SameOrigin, FetchDest::Document));
-	Assert::false($request->isFrom(FetchSite::SameOrigin, user: true));
-	Assert::false($request->isFrom(FetchSite::SameOrigin, user: false));
-});
-
-
-test('cookie fallback not used when Sec-Fetch-Site present', function () {
-	$request = new Http\Request(new Http\UrlScript, cookies: [
-		Http\Helpers::StrictCookieName => '1',
-	], headers: [
-		'Sec-Fetch-Site' => 'cross-site',
-	]);
-
-	Assert::false($request->isFrom(FetchSite::SameOrigin));
-	Assert::true($request->isFrom(FetchSite::CrossSite));
-});

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public function getConfigSchema(): Nette\Schema\Schema`
`53`	`53`	`'cookiePath' => Expect::string()->dynamic(),`
`54`	`54`	`'cookieDomain' => Expect::string()->dynamic(),`
`55`	`55`	`'cookieSecure' => Expect::anyOf('auto', null, true, false)->firstIsDefault()->dynamic(), // Whether the cookie is available only through HTTPS`
`56`		`- 'disableNetteCookie' => Expect::bool(false), // disables cookie use by Nette`
	`56`	`+ 'disableNetteCookie' => Expect::bool(false)->deprecated(),`
`57`	`57`	`]);`
`58`	`58`	`}`
`59`	`59`
`@@ -150,13 +150,6 @@ private function sendHeaders(): void`
`150`	`150`	`$this->initialization->addBody('$response->setHeader(?, ?);', [$key, $value]);`
`151`	`151`	`}`
`152`	`152`	`}`
`153`		`-`
`154`		`- if (!$config->disableNetteCookie) {`
`155`		`- $this->initialization->addBody(`
`156`		`- 'Nette\Http\Helpers::initCookie($this->getService(?), $response);',`
`157`		`- [$this->prefix('request')],`
`158`		`- );`
`159`		`- }`
`160`	`153`	`}`
`161`	`154`
`162`	`155`
Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,6 @@ final class Helpers`
`19`	`19`	`{`
`20`	`20`	`use Nette\StaticClass;`
`21`	`21`
`22`		`- /** @internal */`
`23`		`- public const StrictCookieName = '_nss';`
`24`		`-`
`25`	`22`
`26`	`23`	`/**`
`27`	`24`	`* Formats a date and time in the HTTP date format (RFC 7231), e.g. 'Mon, 23 Jan 1978 10:00:00 GMT'.`
`@@ -107,16 +104,4 @@ public static function ipMatch(string $ip, string $mask): bool`
`107`	`104`	`{`
`108`	`105`	`return IPAddress::tryFrom($ip)?->isInRange($mask) ?? false;`
`109`	`106`	`}`
`110`		`-`
`111`		`-`
`112`		`- /**`
`113`		`- * Sends the SameSite=Strict cookie used as a fallback for detecting same-site requests`
`114`		`- * in browsers that don't support the Sec-Fetch-Site header (Safari < 16.4).`
`115`		`- */`
`116`		`- public static function initCookie(IRequest $request, IResponse $response): void`
`117`		`- {`
`118`		`- if ($request->getHeader('Sec-Fetch-Site') === null) {`
`119`		`- $response->setCookie(self::StrictCookieName, '1', null, '/', sameSite: SameSite::Strict);`
`120`		`- }`
`121`		`- }`
`122`	`107`	`}`