Re-implement SameSite for 2019 #12125

Tratcher · Tratcher · commit 4a9ec10ace8b · 2019-10-02T14:53:13.000-07:00
diff --git a/src/Http/Headers/src/SetCookieHeaderValue.cs b/src/Http/Headers/src/SetCookieHeaderValue.cs
@@ -20,8 +20,14 @@ public class SetCookieHeaderValue
         private const string SecureToken = "secure";
         // RFC Draft: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
         private const string SameSiteToken = "samesite";
+        private static readonly string SameSiteNoneToken = SameSiteMode.None.ToString().ToLower();
         private static readonly string SameSiteLaxToken = SameSiteMode.Lax.ToString().ToLower();
         private static readonly string SameSiteStrictToken = SameSiteMode.Strict.ToString().ToLower();
+
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool UseSameSite2016Compat;
+
         private const string HttpOnlyToken = "httponly";
         private const string SeparatorToken = "; ";
         private const string EqualsToken = "=";
@@ -36,6 +42,14 @@ private static readonly HttpHeaderParser<SetCookieHeaderValue> MultipleValuePars
         private StringSegment _name;
         private StringSegment _value;
 
+        static SetCookieHeaderValue()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.Net.Http.Headers.SetCookieHeaderValue.UseSameSite2016Compat", out var enabled))
+            {
+                UseSameSite2016Compat = enabled;
+            }
+        }
+
         private SetCookieHeaderValue()
         {
             // Used by the parser to create a new instance of this type.
@@ -92,16 +106,17 @@ public StringSegment Value
 
         public bool Secure { get; set; }
 
-        public SameSiteMode SameSite { get; set; }
+        public SameSiteMode SameSite { get; set; } = UseSameSite2016Compat ? SameSiteMode.None : (SameSiteMode)(-1); // Unspecified
 
         public bool HttpOnly { get; set; }
 
-        // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict|Lax}; httponly
+        // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={strict|lax|none}; httponly
         public override string ToString()
         {
             var length = _name.Length + EqualsToken.Length + _value.Length;
 
             string maxAge = null;
+            string sameSite = null;
 
             if (Expires.HasValue)
             {
@@ -129,9 +144,20 @@ public override string ToString()
                 length += SeparatorToken.Length + SecureToken.Length;
             }
 
-            if (SameSite != SameSiteMode.None)
+            // Allow for Unspecified (-1) to skip SameSite
+            if (SameSite == SameSiteMode.None && !UseSameSite2016Compat)
+            {
+                sameSite = SameSiteNoneToken;
+                length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;
+            }
+            else if (SameSite == SameSiteMode.Lax)
             {
-                var sameSite = SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken;
+                sameSite = SameSiteLaxToken;
+                length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;
+            }
+            else if (SameSite == SameSiteMode.Strict)
+            {
+                sameSite = SameSiteStrictToken;
                 length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;
             }
 
@@ -180,9 +206,9 @@ public override string ToString()
                     AppendSegment(ref span, SecureToken, null);
                 }
 
-                if (headerValue.SameSite != SameSiteMode.None)
+                if (sameSite != null)
                 {
-                    AppendSegment(ref span, SameSiteToken, headerValue.SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);
+                    AppendSegment(ref span, SameSiteToken, sameSite);
                 }
 
                 if (headerValue.HttpOnly)
@@ -248,9 +274,18 @@ public void AppendToStringBuilder(StringBuilder builder)
                 AppendSegment(builder, SecureToken, null);
             }
 
-            if (SameSite != SameSiteMode.None)
+            // Allow for Unspecified (-1) to skip SameSite
+            if (SameSite == SameSiteMode.None && !UseSameSite2016Compat)
+            {
+                AppendSegment(builder, SameSiteToken, SameSiteNoneToken);
+            }
+            else if (SameSite == SameSiteMode.Lax)
             {
-                AppendSegment(builder, SameSiteToken, SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);
+                AppendSegment(builder, SameSiteToken, SameSiteLaxToken);
+            }
+            else if (SameSite == SameSiteMode.Strict)
+            {
+                AppendSegment(builder, SameSiteToken, SameSiteStrictToken);
             }
 
             if (HttpOnly)
@@ -302,7 +337,7 @@ public static bool TryParseStrictList(IList<string> inputs, out IList<SetCookieH
             return MultipleValueParser.TryParseStrictValues(inputs, out parsedValues);
         }
 
-        // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict|Lax}; httponly
+        // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict|Lax|None}; httponly
         private static int GetSetCookieLength(StringSegment input, int startIndex, out SetCookieHeaderValue parsedValue)
         {
             Contract.Requires(startIndex >= 0);
@@ -437,25 +472,34 @@ private static int GetSetCookieLength(StringSegment input, int startIndex, out S
                 {
                     result.Secure = true;
                 }
-                // samesite-av = "SameSite" / "SameSite=" samesite-value
-                // samesite-value = "Strict" / "Lax"
+                // samesite-av = "SameSite=" samesite-value
+                // samesite-value = "Strict" / "Lax" / "None"
                 else if (StringSegment.Equals(token, SameSiteToken, StringComparison.OrdinalIgnoreCase))
                 {
                     if (!ReadEqualsSign(input, ref offset))
                     {
-                        result.SameSite = SameSiteMode.Strict;
+                        result.SameSite = UseSameSite2016Compat ? SameSiteMode.Strict : (SameSiteMode)(-1); // Unspecified
                     }
                     else
                     {
                         var enforcementMode = ReadToSemicolonOrEnd(input, ref offset);
 
-                        if (StringSegment.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))
+                        if (StringSegment.Equals(enforcementMode, SameSiteStrictToken, StringComparison.OrdinalIgnoreCase))
+                        {
+                            result.SameSite = SameSiteMode.Strict;
+                        }
+                        else if (StringSegment.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))
                         {
                             result.SameSite = SameSiteMode.Lax;
                         }
+                        else if (!UseSameSite2016Compat
+                            && StringSegment.Equals(enforcementMode, SameSiteNoneToken, StringComparison.OrdinalIgnoreCase))
+                        {
+                            result.SameSite = SameSiteMode.None;
+                        }
                         else
                         {
-                            result.SameSite = SameSiteMode.Strict;
+                            result.SameSite = UseSameSite2016Compat ? SameSiteMode.Strict : (SameSiteMode)(-1); // Unspecified
                         }
                     }
                 }
diff --git a/src/Http/Headers/test/SetCookieHeaderValueTest.cs b/src/Http/Headers/test/SetCookieHeaderValueTest.cs
@@ -57,7 +57,7 @@ public static TheoryData<SetCookieHeaderValue, string> SetCookieHeaderDataSet
                 {
                     SameSite = SameSiteMode.None,
                 };
-                dataset.Add(header7, "name7=value7");
+                dataset.Add(header7, "name7=value7; samesite=none");
 
 
                 return dataset;
@@ -155,9 +155,20 @@ public static TheoryData<IList<SetCookieHeaderValue>, string[]> ListOfSetCookieH
                 {
                     SameSite = SameSiteMode.Strict
                 };
-                var string6a = "name6=value6; samesite";
-                var string6b = "name6=value6; samesite=Strict";
-                var string6c = "name6=value6; samesite=invalid";
+                var string6 = "name6=value6; samesite=Strict";
+
+                var header7 = new SetCookieHeaderValue("name7", "value7")
+                {
+                    SameSite = SameSiteMode.None
+                };
+                var string7 = "name7=value7; samesite=None";
+
+                var header8 = new SetCookieHeaderValue("name8", "value8")
+                {
+                    SameSite = (SameSiteMode)(-1) // Unspecified
+                };
+                var string8a = "name8=value8; samesite";
+                var string8b = "name8=value8; samesite=invalid";
 
                 dataset.Add(new[] { header1 }.ToList(), new[] { string1 });
                 dataset.Add(new[] { header1, header1 }.ToList(), new[] { string1, string1 });
@@ -170,9 +181,10 @@ public static TheoryData<IList<SetCookieHeaderValue>, string[]> ListOfSetCookieH
                 dataset.Add(new[] { header1, header2, header3, header4 }.ToList(), new[] { string.Join(",", string1, string2, string3, string4) });
                 dataset.Add(new[] { header5 }.ToList(), new[] { string5a });
                 dataset.Add(new[] { header5 }.ToList(), new[] { string5b });
-                dataset.Add(new[] { header6 }.ToList(), new[] { string6a });
-                dataset.Add(new[] { header6 }.ToList(), new[] { string6b });
-                dataset.Add(new[] { header6 }.ToList(), new[] { string6c });
+                dataset.Add(new[] { header6 }.ToList(), new[] { string6 });
+                dataset.Add(new[] { header7 }.ToList(), new[] { string7 });
+                dataset.Add(new[] { header8 }.ToList(), new[] { string8a });
+                dataset.Add(new[] { header8 }.ToList(), new[] { string8b });
 
                 return dataset;
             }
@@ -301,6 +313,28 @@ public void SetCookieHeaderValue_ToString(SetCookieHeaderValue input, string exp
             Assert.Equal(expectedValue, input.ToString());
         }
 
+        [Fact]
+        public void SetCookieHeaderValue_ToString_SameSite2016Compat()
+        {
+            SetCookieHeaderValue.UseSameSite2016Compat = true;
+
+            var input = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            Assert.Equal("name=value", input.ToString());
+
+            SetCookieHeaderValue.UseSameSite2016Compat = false;
+
+            var input2 = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            Assert.Equal("name=value; samesite=none", input2.ToString());
+        }
+
         [Theory]
         [MemberData(nameof(SetCookieHeaderDataSet))]
         public void SetCookieHeaderValue_AppendToStringBuilder(SetCookieHeaderValue input, string expectedValue)
@@ -312,6 +346,32 @@ public void SetCookieHeaderValue_AppendToStringBuilder(SetCookieHeaderValue inpu
             Assert.Equal(expectedValue, builder.ToString());
         }
 
+        [Fact]
+        public void SetCookieHeaderValue_AppendToStringBuilder_SameSite2016Compat()
+        {
+            SetCookieHeaderValue.UseSameSite2016Compat = true;
+
+            var builder = new StringBuilder();
+            var input = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            input.AppendToStringBuilder(builder);
+            Assert.Equal("name=value", builder.ToString());
+
+            SetCookieHeaderValue.UseSameSite2016Compat = false;
+
+            var builder2 = new StringBuilder();
+            var input2 = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            input2.AppendToStringBuilder(builder2);
+            Assert.Equal("name=value; samesite=none", builder2.ToString());
+        }
+
         [Theory]
         [MemberData(nameof(SetCookieHeaderDataSet))]
         public void SetCookieHeaderValue_Parse_AcceptsValidValues(SetCookieHeaderValue cookie, string expectedValue)
@@ -322,6 +382,31 @@ public void SetCookieHeaderValue_Parse_AcceptsValidValues(SetCookieHeaderValue c
             Assert.Equal(expectedValue, header.ToString());
         }
 
+        [Fact]
+        public void SetCookieHeaderValue_Parse_AcceptsValidValues_SameSite2016Compat()
+        {
+            SetCookieHeaderValue.UseSameSite2016Compat = true;
+            var header = SetCookieHeaderValue.Parse("name=value; samesite=none");
+
+            var cookie = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.Strict,
+            };
+
+            Assert.Equal(cookie, header);
+            Assert.Equal("name=value; samesite=strict", header.ToString());
+            SetCookieHeaderValue.UseSameSite2016Compat = false;
+
+            var header2 = SetCookieHeaderValue.Parse("name=value; samesite=none");
+
+            var cookie2 = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+            Assert.Equal(cookie2, header2);
+            Assert.Equal("name=value; samesite=none", header2.ToString());
+        }
+
         [Theory]
         [MemberData(nameof(SetCookieHeaderDataSet))]
         public void SetCookieHeaderValue_TryParse_AcceptsValidValues(SetCookieHeaderValue cookie, string expectedValue)
@@ -332,6 +417,31 @@ public void SetCookieHeaderValue_TryParse_AcceptsValidValues(SetCookieHeaderValu
             Assert.Equal(expectedValue, header.ToString());
         }
 
+        [Fact]
+        public void SetCookieHeaderValue_TryParse_AcceptsValidValues_SameSite2016Compat()
+        {
+            SetCookieHeaderValue.UseSameSite2016Compat = true;
+            Assert.True(SetCookieHeaderValue.TryParse("name=value; samesite=none", out var header));
+            var cookie = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.Strict,
+            };
+
+            Assert.Equal(cookie, header);
+            Assert.Equal("name=value; samesite=strict", header.ToString());
+
+            SetCookieHeaderValue.UseSameSite2016Compat = false;
+
+            Assert.True(SetCookieHeaderValue.TryParse("name=value; samesite=none", out var header2));
+            var cookie2 = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            Assert.Equal(cookie2, header2);
+            Assert.Equal("name=value; samesite=none", header2.ToString());
+        }
+
         [Theory]
         [MemberData(nameof(InvalidSetCookieHeaderDataSet))]
         public void SetCookieHeaderValue_Parse_RejectsInvalidValues(string value)
diff --git a/src/Security/Authentication/WsFederation/samples/WsFedSample/WsFedSample.csproj b/src/Security/Authentication/WsFederation/samples/WsFedSample/WsFedSample.csproj
@@ -2,6 +2,7 @@
 
   <PropertyGroup>
     <TargetFrameworks>netcoreapp3.0</TargetFrameworks>
+    <AspNetCoreHostingModel>OutOfProcess</AspNetCoreHostingModel>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Security/Authentication/test/CookieTests.cs b/src/Security/Authentication/test/CookieTests.cs
@@ -229,7 +229,7 @@ public async Task CookieOptionsAlterSetCookieHeader()
             Assert.Contains(" path=/foo", setCookie1);
             Assert.Contains(" domain=another.com", setCookie1);
             Assert.Contains(" secure", setCookie1);
-            Assert.DoesNotContain(" samesite", setCookie1);
+            Assert.Contains(" samesite=none", setCookie1);
             Assert.Contains(" httponly", setCookie1);
 
             var server2 = CreateServer(o =>
diff --git a/src/Security/Authentication/test/OpenIdConnect/OpenIdConnectChallengeTests.cs b/src/Security/Authentication/test/OpenIdConnect/OpenIdConnectChallengeTests.cs
@@ -437,6 +437,7 @@ public async Task ChallengeSetsNonceAndStateCookies(OpenIdConnectRedirectBehavio
             var server = settings.CreateTestServer();
             var transaction = await server.SendAsync(ChallengeEndpoint);
 
+            Assert.Contains("samesite=none", transaction.SetCookie.First());
             var challengeCookies = SetCookieHeaderValue.ParseList(transaction.SetCookie);
             var nonceCookie = challengeCookies.Where(cookie => cookie.Name.StartsWith(OpenIdConnectDefaults.CookieNoncePrefix, StringComparison.Ordinal)).Single();
             Assert.True(nonceCookie.Expires.HasValue);

Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,14 @@ public class SetCookieHeaderValue`
`20`	`20`	`private const string SecureToken = "secure";`
`21`	`21`	`// RFC Draft: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00`
`22`	`22`	`private const string SameSiteToken = "samesite";`
	`23`	`+ private static readonly string SameSiteNoneToken = SameSiteMode.None.ToString().ToLower();`
`23`	`24`	`private static readonly string SameSiteLaxToken = SameSiteMode.Lax.ToString().ToLower();`
`24`	`25`	`private static readonly string SameSiteStrictToken = SameSiteMode.Strict.ToString().ToLower();`
	`26`	`+`
	`27`	`+ // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1`
	`28`	`+ // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1`
	`29`	`+ internal static bool UseSameSite2016Compat;`
	`30`	`+`
`25`	`31`	`private const string HttpOnlyToken = "httponly";`
`26`	`32`	`private const string SeparatorToken = "; ";`
`27`	`33`	`private const string EqualsToken = "=";`
`@@ -36,6 +42,14 @@ private static readonly HttpHeaderParser<SetCookieHeaderValue> MultipleValuePars`
`36`	`42`	`private StringSegment _name;`
`37`	`43`	`private StringSegment _value;`
`38`	`44`
	`45`	`+ static SetCookieHeaderValue()`
	`46`	`+ {`
	`47`	`+ if (AppContext.TryGetSwitch("Microsoft.Net.Http.Headers.SetCookieHeaderValue.UseSameSite2016Compat", out var enabled))`
	`48`	`+ {`
	`49`	`+ UseSameSite2016Compat = enabled;`
	`50`	`+ }`
	`51`	`+ }`
	`52`	`+`
`39`	`53`	`private SetCookieHeaderValue()`
`40`	`54`	`{`
`41`	`55`	`// Used by the parser to create a new instance of this type.`
`@@ -92,16 +106,17 @@ public StringSegment Value`
`92`	`106`
`93`	`107`	`public bool Secure { get; set; }`
`94`	`108`
`95`		`- public SameSiteMode SameSite { get; set; }`
	`109`	`+ public SameSiteMode SameSite { get; set; } = UseSameSite2016Compat ? SameSiteMode.None : (SameSiteMode)(-1); // Unspecified`
`96`	`110`
`97`	`111`	`public bool HttpOnly { get; set; }`
`98`	`112`
`99`		`- // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict\|Lax}; httponly`
	`113`	`+ // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={strict\|lax\|none}; httponly`
`100`	`114`	`public override string ToString()`
`101`	`115`	`{`
`102`	`116`	`var length = _name.Length + EqualsToken.Length + _value.Length;`
`103`	`117`
`104`	`118`	`string maxAge = null;`
	`119`	`+ string sameSite = null;`
`105`	`120`
`106`	`121`	`if (Expires.HasValue)`
`107`	`122`	`{`
`@@ -129,9 +144,20 @@ public override string ToString()`
`129`	`144`	`length += SeparatorToken.Length + SecureToken.Length;`
`130`	`145`	`}`
`131`	`146`
`132`		`- if (SameSite != SameSiteMode.None)`
	`147`	`+ // Allow for Unspecified (-1) to skip SameSite`
	`148`	`+ if (SameSite == SameSiteMode.None && !UseSameSite2016Compat)`
	`149`	`+ {`
	`150`	`+ sameSite = SameSiteNoneToken;`
	`151`	`+ length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;`
	`152`	`+ }`
	`153`	`+ else if (SameSite == SameSiteMode.Lax)`
`133`	`154`	`{`
`134`		`- var sameSite = SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken;`
	`155`	`+ sameSite = SameSiteLaxToken;`
	`156`	`+ length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;`
	`157`	`+ }`
	`158`	`+ else if (SameSite == SameSiteMode.Strict)`
	`159`	`+ {`
	`160`	`+ sameSite = SameSiteStrictToken;`
`135`	`161`	`length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;`
`136`	`162`	`}`
`137`	`163`
`@@ -180,9 +206,9 @@ public override string ToString()`
`180`	`206`	`AppendSegment(ref span, SecureToken, null);`
`181`	`207`	`}`
`182`	`208`
`183`		`- if (headerValue.SameSite != SameSiteMode.None)`
	`209`	`+ if (sameSite != null)`
`184`	`210`	`{`
`185`		`- AppendSegment(ref span, SameSiteToken, headerValue.SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);`
	`211`	`+ AppendSegment(ref span, SameSiteToken, sameSite);`
`186`	`212`	`}`
`187`	`213`
`188`	`214`	`if (headerValue.HttpOnly)`
`@@ -248,9 +274,18 @@ public void AppendToStringBuilder(StringBuilder builder)`
`248`	`274`	`AppendSegment(builder, SecureToken, null);`
`249`	`275`	`}`
`250`	`276`
`251`		`- if (SameSite != SameSiteMode.None)`
	`277`	`+ // Allow for Unspecified (-1) to skip SameSite`
	`278`	`+ if (SameSite == SameSiteMode.None && !UseSameSite2016Compat)`
	`279`	`+ {`
	`280`	`+ AppendSegment(builder, SameSiteToken, SameSiteNoneToken);`
	`281`	`+ }`
	`282`	`+ else if (SameSite == SameSiteMode.Lax)`
`252`	`283`	`{`
`253`		`- AppendSegment(builder, SameSiteToken, SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);`
	`284`	`+ AppendSegment(builder, SameSiteToken, SameSiteLaxToken);`
	`285`	`+ }`
	`286`	`+ else if (SameSite == SameSiteMode.Strict)`
	`287`	`+ {`
	`288`	`+ AppendSegment(builder, SameSiteToken, SameSiteStrictToken);`
`254`	`289`	`}`
`255`	`290`
`256`	`291`	`if (HttpOnly)`
`@@ -302,7 +337,7 @@ public static bool TryParseStrictList(IList<string> inputs, out IList<SetCookieH`
`302`	`337`	`return MultipleValueParser.TryParseStrictValues(inputs, out parsedValues);`
`303`	`338`	`}`
`304`	`339`
`305`		`- // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict\|Lax}; httponly`
	`340`	`+ // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict\|Lax\|None}; httponly`
`306`	`341`	`private static int GetSetCookieLength(StringSegment input, int startIndex, out SetCookieHeaderValue parsedValue)`
`307`	`342`	`{`
`308`	`343`	`Contract.Requires(startIndex >= 0);`
`@@ -437,25 +472,34 @@ private static int GetSetCookieLength(StringSegment input, int startIndex, out S`
`437`	`472`	`{`
`438`	`473`	`result.Secure = true;`
`439`	`474`	`}`
`440`		`- // samesite-av = "SameSite" / "SameSite=" samesite-value`
`441`		`- // samesite-value = "Strict" / "Lax"`
	`475`	`+ // samesite-av = "SameSite=" samesite-value`
	`476`	`+ // samesite-value = "Strict" / "Lax" / "None"`
`442`	`477`	`else if (StringSegment.Equals(token, SameSiteToken, StringComparison.OrdinalIgnoreCase))`
`443`	`478`	`{`
`444`	`479`	`if (!ReadEqualsSign(input, ref offset))`
`445`	`480`	`{`
`446`		`- result.SameSite = SameSiteMode.Strict;`
	`481`	`+ result.SameSite = UseSameSite2016Compat ? SameSiteMode.Strict : (SameSiteMode)(-1); // Unspecified`
`447`	`482`	`}`
`448`	`483`	`else`
`449`	`484`	`{`
`450`	`485`	`var enforcementMode = ReadToSemicolonOrEnd(input, ref offset);`
`451`	`486`
`452`		`- if (StringSegment.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))`
	`487`	`+ if (StringSegment.Equals(enforcementMode, SameSiteStrictToken, StringComparison.OrdinalIgnoreCase))`
	`488`	`+ {`
	`489`	`+ result.SameSite = SameSiteMode.Strict;`
	`490`	`+ }`
	`491`	`+ else if (StringSegment.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))`
`453`	`492`	`{`
`454`	`493`	`result.SameSite = SameSiteMode.Lax;`
`455`	`494`	`}`
	`495`	`+ else if (!UseSameSite2016Compat`
	`496`	`+ && StringSegment.Equals(enforcementMode, SameSiteNoneToken, StringComparison.OrdinalIgnoreCase))`
	`497`	`+ {`
	`498`	`+ result.SameSite = SameSiteMode.None;`
	`499`	`+ }`
`456`	`500`	`else`
`457`	`501`	`{`
`458`		`- result.SameSite = SameSiteMode.Strict;`
	`502`	`+ result.SameSite = UseSameSite2016Compat ? SameSiteMode.Strict : (SameSiteMode)(-1); // Unspecified`
`459`	`503`	`}`
`460`	`504`	`}`
`461`	`505`	`}`