shopify_app 11.5.1 → 11.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1f2c7003fc52f7cdca6ab2ecd68fd087aee28e63e8bfbdc59ea7ca82886f28b8
-  data.tar.gz: b967b29d2122d732af04ef1aeb3fcf814fe53fd5103b124009bfad0daf2d298b
+  metadata.gz: 14c540b5ab61f25b6a0ad180f76161ae69536d8fcf52f623bd997055b145e02a
+  data.tar.gz: 69be07412bfd24ca729a2e4d1207a7884d71418e5773337ddb477118d2594e86
 SHA512:
-  metadata.gz: 325bc337b2be96e0cd91250ee19ddbed0ac34baf2c0bcea995f4b78048738e9a3d638e95334b55bb28e3350eb20365d1f9f2fcfe698356d338e2551797a7877c
-  data.tar.gz: 7781e846d38666203e63eb6d17f182cea70a9011a5c5dec6b3b0dc540ae5473a21ae8f13fb82719435691b87e14c4981135d4f4e984e09a34cbd81316e89996a
+  metadata.gz: 901b0a51d2891756243f0903d23833dc3399b158fb27f703a5fe3f977550db9c7d87116b83b1c568de57236855704e80d1dec91fe2094a6cf4280abaff116219
+  data.tar.gz: 172ac0593c9ee3c0dd870a585e122feaeae4b387df367c6962d239e0a79a784c247bc1645ecbe3a3264ae3b57142bbd0854bc34a67461e134374214419a3125c

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+11.6.0
+-----
+* Enable SameSite=None; Secure by default on all cookies for embedded apps [#851](https://github.com/Shopify/shopify_app/pull/851)
+  * Ensures compatibility of embedded apps with upcoming Chrome version 80 changes to cookie behaviour
+  * Configurable via `ShopifyApp.configuration.enable_same_site_none` (default true for embedded apps)
+
 11.5.1
 -----
 * Revert per-user token support temporarily

data/lib/shopify_app.rb

@@ -43,6 +43,9 @@ module ShopifyApp
   require 'shopify_app/managers/webhooks_manager'
   require 'shopify_app/managers/scripttags_manager'
 
+  # middleware
+  require 'shopify_app/middleware/same_site_cookie_middleware'
+
   # session
   require 'shopify_app/session/session_storage'
   require 'shopify_app/session/session_repository'

data/lib/shopify_app/configuration.rb

@@ -34,6 +34,9 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
+    # allow enabling of same site none on cookies
+    attr_accessor :enable_same_site_none
+
     def initialize
       @root_url = '/'
       @myshopify_domain = 'myshopify.com'
@@ -58,6 +61,10 @@ module ShopifyApp
     def has_scripttags?
       scripttags.present?
     end
+
+    def enable_same_site_none
+      @enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none
+    end
   end
 
   def self.configuration

data/lib/shopify_app/engine.rb

@@ -12,5 +12,9 @@ module ShopifyApp
         storage_access.svg
       ]
     end
+
+    initializer "shopify_app.middleware" do |app|
+      app.config.middleware.insert_before(ActionDispatch::Cookies, ShopifyApp::SameSiteCookieMiddleware)
+    end
   end
 end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -0,0 +1,60 @@
+module ShopifyApp
+  class SameSiteCookieMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      _status, headers, _body = @app.call(env)
+    ensure
+      user_agent = env['HTTP_USER_AGENT']
+
+      if headers && headers['Set-Cookie'] && !SameSiteCookieMiddleware.same_site_none_incompatible?(user_agent) &&
+          ShopifyApp.configuration.enable_same_site_none
+
+        cookies = headers['Set-Cookie'].split("\n").compact
+
+        cookies.each do |cookie|
+          unless cookie.include?("; SameSite")
+            headers['Set-Cookie'] = headers['Set-Cookie'].gsub("#{cookie}", "#{cookie}; secure; SameSite=None")
+          end
+        end
+      end
+    end
+
+    def self.same_site_none_incompatible?(user_agent)
+      sniffer = BrowserSniffer.new(user_agent)
+
+      webkit_same_site_bug?(sniffer) || drops_unrecognized_same_site_cookies?(sniffer)
+    rescue
+      true
+    end
+
+    def self.webkit_same_site_bug?(sniffer)
+      (sniffer.os == :ios && sniffer.os_version.match?(/^([0-9]|1[12])[\.\_]/)) ||
+        (sniffer.os == :mac && sniffer.browser == :safari && sniffer.os_version.match?(/^10[\.\_]14/))
+    end
+
+    def self.drops_unrecognized_same_site_cookies?(sniffer)
+      (chromium_based?(sniffer) && sniffer.major_browser_version >= 51 && sniffer.major_browser_version <= 66) ||
+        (uc_browser?(sniffer) && !uc_browser_version_at_least?(sniffer: sniffer, major: 12, minor: 13, build: 2))
+    end
+
+    def self.chromium_based?(sniffer)
+      sniffer.browser_name.downcase.match?(/chrom(e|ium)/)
+    end
+
+    def self.uc_browser?(sniffer)
+      sniffer.user_agent.downcase.match?(/uc\s?browser/)
+    end
+
+    def self.uc_browser_version_at_least?(sniffer:, major:, minor:, build:)
+      digits = sniffer.browser_version.split('.').map(&:to_i)
+      return false unless digits.count >= 3
+
+      return digits[0] > major if digits[0] != major
+      return digits[1] > minor if digits[1] != minor
+      digits[2] >= build
+    end
+  end
+end

data/lib/shopify_app/version.rb

@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = '11.5.1'.freeze
+  VERSION = '11.6.0'.freeze
 end

data/package.json

@@ -23,5 +23,6 @@
   },
   "scripts": {
     "test": "./node_modules/.bin/karma start --browsers ChromeHeadless --single-run"
-  }
+  },
+  "version": "11.6.0"
 }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 11.5.1
+  version: 11.6.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-08 00:00:00.000000000 Z
+date: 2020-01-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -290,6 +290,7 @@ files:
 - lib/shopify_app/jobs/webhooks_manager_job.rb
 - lib/shopify_app/managers/scripttags_manager.rb
 - lib/shopify_app/managers/webhooks_manager.rb
+- lib/shopify_app/middleware/same_site_cookie_middleware.rb
 - lib/shopify_app/session/in_memory_session_store.rb
 - lib/shopify_app/session/session_repository.rb
 - lib/shopify_app/session/session_storage.rb