REQUEST: Detection of incompatibility with SameSite=None

[FloppyKing]

With google now changing the default behavior of cross-site accessible cookies and forcing us to include SameSite=None property it would be beneficial to have a short-hand method for checking for browsers that are incompatible with the None value of the SameSite cookie property.

For further explanation see https://web.dev/samesite-cookies-explained/ or https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

According to google the incompatible clients include the below

• Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends). These Chrome versions will reject a cookie with SameSite=None. This also affects older versions of Chromium-derived browsers, as well as Android WebView. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in Chrome 67 and newer. (Prior to Chrome 51, the SameSite attribute was ignored entirely and all cookies were treated as if they were SameSite=None.)

• Versions of UC Browser on Android prior to version 12.13.2. Older versions will reject a cookie with SameSite=None. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in newer versions of UC Browser.

• Versions of Safari and embedded browsers on MacOS 10.14 and all browsers on iOS 12. These versions will erroneously treat cookies marked with SameSite=None as if they were marked SameSite=Strict. This bug has been fixed on newer versions of iOS and MacOS.

[FloppyKing]

related project for checking client side that has afflicted UA strings in the code for reference https://github.com/linsight/should-send-same-site-none/blob/master/index.test.js

[oalders]

Thanks, @FloppyKing. I would accept a pull request for this. :)

[FloppyKing]

i'll have to poke around in the inner workings of BrowserDetect.pm and figure out how to create pull requests later when i get more time, but just leaving this here for now as a "rough sketch" of sorts for myself to look at later, or perhaps for someone else to reference that may already be versed in the ways of github

if(
    ## IOS 12
    (oS() eq 'ios' && os_major()==12)

    ## Mac OS version 10.14 safari or embedded browser
    || ((oS() eq 'macosx' && os_major()==10 && os_minor()==14)
        && (browser() eq 'safari' || ### NOT SURE, SEE isMacEmbeddedBrowser ###))

    ## UC Browser < 12.13.2
    || ($browser eq 'ucbrowser'
        && (browser_version() < 12.13 || (browser_version() == 12.13 && browser_beta() < 2)))

    ## Chrome versions from 51 to 66
    || (chrome() && browser_major() >= 51 && browser_major() <= 66)
) { return true;}
else { return false;}       

### CODE REFERENCED ABOVE FROM GOOGLE THAT I'M NOT SURE
### HOW TO CHECK FOR SINCE I'M NOT SURE WHAT DEFINES AN
### EMBEDDED BROWSER FOR MAC OS

bool isMacEmbeddedBrowser(string useragent):
     string regex = "^Mozilla\/[\.\d]+ \(Macintosh;.*Mac OS X [_\d]+\) "
            + "AppleWebKit\/[\.\d]+ \(KHTML, like Gecko\)$"
     return useragent.regexContains(regex)

[oalders]

Great, thanks for sharing this. 👍 If GitHub is the blocker, I'd accept a plain old patch too. We'd just need some appropriate tests to accompany any new code.