Home » Php » php – SameSite=None .htaccess regex issue

php – SameSite=None .htaccess regex issue

Posted by: admin February 25, 2020 Leave a comment

Questions:

The latest Chrome update requires cross domain cookies to be explicitly set to SameSite=None. The the following regex for .htaccess works except for OSX 10.14 Safari 13.0.5. (This browser has a bug with SameSite=None) and must be ignored.

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-2].*Safari)/i">
Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure</If>

Does anyone know how to modify the regex above to exclude the Osx 10.14 Safari version?

Furthermore can anyone combine all of the additional incompatible clients into the regex above – a single regex to fix the SameSite=None issue would be amazing for everyone! Thanks

https://www.chromium.org/updates/same-site/incompatible-clients

    bool isSameSiteNoneIncompatible(string useragent):
    return hasWebKitSameSiteBug(useragent) ||
           dropsUnrecognizedSameSiteCookies(useragent)

bool hasWebKitSameSiteBug(string useragent):
    return isIosVersion(major:12, useragent) ||
           (isMacosxVersion(major:10, minor:14, useragent) &&
            (isSafari(useragent) || isMacEmbeddedBrowser(useragent)))

bool dropsUnrecognizedSameSiteCookies(string useragent):
    if isUcBrowser(useragent):
        return !isUcBrowserVersionAtLeast(major:12, minor:13, build:2, useragent)
    return isChromiumBased(useragent) &&
           isChromiumVersionAtLeast(major:51, useragent) &&
           !isChromiumVersionAtLeast(major:67, useragent)

// Regex parsing of User-Agent string. (See note above!)

bool isIosVersion(int major, string useragent):
    string regex = "\(iP.+; CPU .*OS (\d+)[_\d]*.*\) AppleWebKit\/"
    // Extract digits from first capturing group.
    return useragent.regexMatch(regex)[0] == intToString(major)

bool isMacosxVersion(int major, int minor, string useragent):
    string regex = "\(Macintosh;.*Mac OS X (\d+)_(\d+)[_\d]*.*\) AppleWebKit\/"
    // Extract digits from first and second capturing groups.
    return (useragent.regexMatch(regex)[0] == intToString(major)) &&
           (useragent.regexMatch(regex)[1] == intToString(minor))

bool isSafari(string useragent):
    string safari_regex = "Version\/.* Safari\/"
    return useragent.regexContains(safari_regex) &&
           !isChromiumBased(useragent)

bool isMacEmbeddedBrowser(string useragent):
    string regex = "^Mozilla\/[\.\d]+ \(Macintosh;.*Mac OS X [_\d]+\) "
                     + "AppleWebKit\/[\.\d]+ \(KHTML, like Gecko\)$"
    return useragent.regexContains(regex)

bool isChromiumBased(string useragent):
    string regex = "Chrom(e|ium)"
    return useragent.regexContains(regex)

bool isChromiumVersionAtLeast(int major, string useragent):
    string regex = "Chrom[^ \/]+\/(\d+)[\.\d]* "
    // Extract digits from first capturing group.
    int version = stringToInt(useragent.regexMatch(regex)[0])
    return version >= major

bool isUcBrowser(string useragent):
    string regex = "UCBrowser\/"
    return useragent.regexContains(regex)

bool isUcBrowserVersionAtLeast(int major, int minor, int build, string useragent):
    string regex = "UCBrowser\/(\d+)\.(\d+)\.(\d+)[\.\d]* "
    // Extract digits from three capturing groups.
    int major_version = stringToInt(useragent.regexMatch(regex)[0])
    int minor_version = stringToInt(useragent.regexMatch(regex)[1])
    int build_version = stringToInt(useragent.regexMatch(regex)[2])
    if major_version != major:
        return major_version > major
    if minor_version != minor:
        return minor_version > minor
    return build_version >= build
How to&Answers:

This should fix the issue for safari v13 on osx 10.14.x

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-2].*Safari|Macintosh;.*Mac OS X 10_14.* AppleWebKit.*Version\x2F1[0-3].*Safari)/i">
Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure</If>

Still haven’t included all the chromium patches though…