Adding SameSite=None cookie attribute to uids cookie (#1012)

* committing changes for adding SameSite=none cookie attribute

* incorporating code review comments - moving user agent splitting logic to setuid end-point

Author: PubMatic-OpenWrap

adapters/adform/adform_test.go

@@ -185,7 +185,8 @@ func preparePrebidRequest(serverUrl string, t *testing.T) *pbs.PBSRequest {
 	pbsCookie := usersync.ParsePBSCookieFromRequest(prebidHttpRequest, &config.HostCookie{})
 	pbsCookie.TrySync("adform", adformTestData.buyerUID)
 	fakeWriter := httptest.NewRecorder()
-	pbsCookie.SetCookieOnResponse(fakeWriter, &config.HostCookie{Domain: ""}, time.Minute)
+
+	pbsCookie.SetCookieOnResponse(fakeWriter, false, &config.HostCookie{Domain: ""}, time.Minute)
 	prebidHttpRequest.Header.Add("Cookie", fakeWriter.Header().Get("Set-Cookie"))
 
 	cacheClient, _ := dummycache.New()

adapters/appnexus/appnexus_test.go

@@ -367,7 +367,8 @@ func TestAppNexusBasicResponse(t *testing.T) {
 	pc := usersync.ParsePBSCookieFromRequest(req, &config.HostCookie{})
 	pc.TrySync("adnxs", andata.buyerUID)
 	fakewriter := httptest.NewRecorder()
-	pc.SetCookieOnResponse(fakewriter, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
+
+	pc.SetCookieOnResponse(fakewriter, false, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
 	req.Header.Add("Cookie", fakewriter.Header().Get("Set-Cookie"))
 
 	cacheClient, _ := dummycache.New()

adapters/audienceNetwork/facebook_test.go

@@ -209,7 +209,8 @@ func GenerateBidRequestForTestData(fbdata bidInfo, url string) (*pbs.PBSRequest,
 	pc := usersync.ParsePBSCookieFromRequest(req, &config.HostCookie{})
 	pc.TrySync("audienceNetwork", fbdata.buyerUID)
 	fakewriter := httptest.NewRecorder()
-	pc.SetCookieOnResponse(fakewriter, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
+
+	pc.SetCookieOnResponse(fakewriter, false, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
 	req.Header.Add("Cookie", fakewriter.Header().Get("Set-Cookie"))
 
 	cacheClient, _ := dummycache.New()

adapters/lifestreet/lifestreet_test.go

@@ -227,7 +227,8 @@ func TestLifestreetBasicResponse(t *testing.T) {
 
 	pc := usersync.ParsePBSCookieFromRequest(req, &config.HostCookie{})
 	fakewriter := httptest.NewRecorder()
-	pc.SetCookieOnResponse(fakewriter, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
+
+	pc.SetCookieOnResponse(fakewriter, false, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
 	req.Header.Add("Cookie", fakewriter.Header().Get("Set-Cookie"))
 
 	cacheClient, _ := dummycache.New()

adapters/pubmatic/pubmatic_test.go

@@ -656,7 +656,8 @@ func TestPubmaticSampleRequest(t *testing.T) {
 	pc := usersync.ParsePBSCookieFromRequest(httpReq, &config.HostCookie{})
 	pc.TrySync("pubmatic", "12345")
 	fakewriter := httptest.NewRecorder()
-	pc.SetCookieOnResponse(fakewriter, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
+
+	pc.SetCookieOnResponse(fakewriter, false, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
 	httpReq.Header.Add("Cookie", fakewriter.Header().Get("Set-Cookie"))
 
 	cacheClient, _ := dummycache.New()

adapters/pulsepoint/pulsepoint_test.go

@@ -226,7 +226,8 @@ func SampleRequest(numberOfImpressions int, t *testing.T) *pbs.PBSRequest {
 	pc := usersync.ParsePBSCookieFromRequest(httpReq, &config.HostCookie{})
 	pc.TrySync("pulsepoint", "pulsepointUser123")
 	fakewriter := httptest.NewRecorder()
-	pc.SetCookieOnResponse(fakewriter, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
+
+	pc.SetCookieOnResponse(fakewriter, false, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
 	httpReq.Header.Add("Cookie", fakewriter.Header().Get("Set-Cookie"))
 	// parse the http request
 	cacheClient, _ := dummycache.New()

adapters/rubicon/rubicon_test.go

@@ -945,7 +945,8 @@ func CreatePrebidRequest(server *httptest.Server, t *testing.T) (an *RubiconAdap
 	pc := usersync.ParsePBSCookieFromRequest(req, &config.HostCookie{})
 	pc.TrySync("rubicon", rubidata.buyerUID)
 	fakewriter := httptest.NewRecorder()
-	pc.SetCookieOnResponse(fakewriter, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
+
+	pc.SetCookieOnResponse(fakewriter, false, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
 	req.Header.Add("Cookie", fakewriter.Header().Get("Set-Cookie"))
 
 	cacheClient, _ := dummycache.New()

adapters/sovrn/sovrn_test.go

@@ -188,7 +188,8 @@ func SampleSovrnRequest(numberOfImpressions int, t *testing.T) *pbs.PBSRequest {
 	pc := usersync.ParsePBSCookieFromRequest(httpReq, &config.HostCookie{})
 	pc.TrySync("sovrn", testSovrnUserId)
 	fakewriter := httptest.NewRecorder()
-	pc.SetCookieOnResponse(fakewriter, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
+
+	pc.SetCookieOnResponse(fakewriter, false, &config.HostCookie{Domain: ""}, 90*24*time.Hour)
 	httpReq.Header.Add("Cookie", fakewriter.Header().Get("Set-Cookie"))
 	// parse the http request
 	cacheClient, _ := dummycache.New()

endpoints/cookie_sync.go

@@ -106,8 +106,16 @@ func (deps *cookieSyncDeps) Endpoint(w http.ResponseWriter, r *http.Request, _ h
 			parsedReq.Bidders = append(parsedReq.Bidders, string(bidder))
 		}
 	}
+	setSiteCookie := siteCookieCheck(r.UserAgent())
+	needSyncupForSameSite := false
+	if setSiteCookie {
+		_, err1 := r.Cookie(usersync.SameSiteCookieName)
+		if err1 == http.ErrNoCookie {
+			needSyncupForSameSite = true
+		}
+	}
 
-	parsedReq.filterExistingSyncs(deps.syncers, userSyncCookie)
+	parsedReq.filterExistingSyncs(deps.syncers, userSyncCookie, needSyncupForSameSite)
 	adapterSyncs := make(map[openrtb_ext.BidderName]bool)
 	for _, b := range parsedReq.Bidders {
 		// assume all bidders will be GDPR blocked
@@ -183,10 +191,10 @@ type cookieSyncRequest struct {
 	Limit   int      `json:"limit"`
 }
 
-func (req *cookieSyncRequest) filterExistingSyncs(valid map[openrtb_ext.BidderName]usersync.Usersyncer, cookie *usersync.PBSCookie) {
+func (req *cookieSyncRequest) filterExistingSyncs(valid map[openrtb_ext.BidderName]usersync.Usersyncer, cookie *usersync.PBSCookie, needSyncupForSameSite bool) {
 	for i := 0; i < len(req.Bidders); i++ {
 		thisBidder := req.Bidders[i]
-		if syncer, isValid := valid[openrtb_ext.BidderName(thisBidder)]; !isValid || cookie.HasLiveSync(syncer.FamilyName()) {
+		if syncer, isValid := valid[openrtb_ext.BidderName(thisBidder)]; !isValid || (cookie.HasLiveSync(syncer.FamilyName()) && !needSyncupForSameSite) {
 			req.Bidders = append(req.Bidders[:i], req.Bidders[i+1:]...)
 			i--
 		}

endpoints/setuid.go

@@ -3,6 +3,8 @@ package endpoints
 import (
 	"context"
 	"net/http"
+	"strconv"
+	"strings"
 	"time"
 
 	"github.com/julienschmidt/httprouter"
@@ -14,6 +16,14 @@ import (
 	"github.com/prebid/prebid-server/usersync"
 )
 
+const (
+	chromeStr       = "Chrome/"
+	chromeiOSStr    = "CriOS/"
+	chromeMinVer    = 67
+	chromeStrLen    = len(chromeStr)
+	chromeiOSStrLen = len(chromeiOSStr)
+)
+
 func NewSetUIDEndpoint(cfg config.HostCookie, perms gdpr.Permissions, pbsanalytics analytics.PBSAnalyticsModule, metrics pbsmetrics.MetricsEngine) httprouter.Handle {
 	cookieTTL := time.Duration(cfg.TTL) * 24 * time.Hour
 	return httprouter.Handle(func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
@@ -76,10 +86,39 @@ func NewSetUIDEndpoint(cfg config.HostCookie, perms gdpr.Permissions, pbsanalyti
 			so.Success = true
 		}
 
-		pc.SetCookieOnResponse(w, &cfg, cookieTTL)
+		setSiteCookie := siteCookieCheck(r.UserAgent())
+		pc.SetCookieOnResponse(w, setSiteCookie, &cfg, cookieTTL)
 	})
 }
 
+// siteCookieCheck scans the input User Agent string to check if browser is Chrome and browser version is greater than the minimum version for adding the SameSite cookie attribute
+func siteCookieCheck(ua string) bool {
+	result := false
+
+	index := strings.Index(ua, chromeStr)
+	criOSIndex := strings.Index(ua, chromeiOSStr)
+	if index != -1 {
+		result = checkChromeBrowserVersion(ua, index, chromeStrLen)
+	} else if criOSIndex != -1 {
+		result = checkChromeBrowserVersion(ua, criOSIndex, chromeiOSStrLen)
+	}
+	return result
+}
+
+func checkChromeBrowserVersion(ua string, index int, chromeStrLength int) bool {
+	result := false
+	vIndex := index + chromeStrLength
+	dotIndex := strings.Index(ua[vIndex:], ".")
+	if dotIndex == -1 {
+		dotIndex = len(ua[vIndex:])
+	}
+	version, _ := strconv.Atoi(ua[vIndex : vIndex+dotIndex])
+	if version >= chromeMinVer {
+		result = true
+	}
+	return result
+}
+
 func preventSyncsGDPR(gdprEnabled string, gdprConsent string, perms gdpr.Permissions) (bool, int, string) {
 	switch gdprEnabled {
 	case "0":

endpoints/setuid_test.go

@@ -196,3 +196,21 @@ func (g *mockPermsSetUID) BidderSyncAllowed(ctx context.Context, bidder openrtb_
 func (g *mockPermsSetUID) PersonalInfoAllowed(ctx context.Context, bidder openrtb_ext.BidderName, PublisherID string, consent string) (bool, error) {
 	return g.allowPI, nil
 }
+
+func TestSiteCookieCheck(t *testing.T) {
+	ua := "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36"
+	expectedResult := true
+	actualResult := siteCookieCheck(ua)
+	if actualResult != expectedResult {
+		t.Errorf("Expected: %v, but got: %v", expectedResult, actualResult)
+	}
+}
+
+func TestSiteCookieCheckForOlderChromeVersion(t *testing.T) {
+	ua := "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3770.142 Safari/537.36"
+	expectedResult := false
+	actualResult := siteCookieCheck(ua)
+	if actualResult != expectedResult {
+		t.Errorf("Expected: %v, but got: %v", expectedResult, actualResult)
+	}
+}

pbs/usersync.go

@@ -95,7 +95,8 @@ func (deps *UserSyncDeps) OptOut(w http.ResponseWriter, r *http.Request, _ httpr
 	pc := usersync.ParsePBSCookieFromRequest(r, deps.HostCookieConfig)
 	pc.SetPreference(optout == "")
 
-	pc.SetCookieOnResponse(w, deps.HostCookieConfig, deps.HostCookieConfig.TTLDuration())
+	pc.SetCookieOnResponse(w, false, deps.HostCookieConfig, deps.HostCookieConfig.TTLDuration())
+
 	if optout == "" {
 		http.Redirect(w, r, deps.HostCookieConfig.OptInURL, 301)
 	} else {

usersync/cookie.go

@@ -12,9 +12,14 @@ import (
 	"github.com/prebid/prebid-server/openrtb_ext"
 )
 
-// DEFAULT_TTL is the default amount of time which a cookie is considered valid.
-const DEFAULT_TTL = 14 * 24 * time.Hour
-const UID_COOKIE_NAME = "uids"
+const (
+	// DEFAULT_TTL is the default amount of time which a cookie is considered valid.
+	DEFAULT_TTL         = 14 * 24 * time.Hour
+	UID_COOKIE_NAME     = "uids"
+	SameSiteCookieName  = "SSCookie"
+	SameSiteCookieValue = "1"
+	SameSiteAttribute   = "; SameSite=None"
+)
 
 // customBidderTTLs stores rules about how long a particular UID sync is valid for each bidder.
 // If a bidder does a cookie sync *without* listing a rule here, then the DEFAULT_TTL will be used.
@@ -161,7 +166,7 @@ func (cookie *PBSCookie) GetId(bidderName openrtb_ext.BidderName) (id string, ex
 }
 
 // SetCookieOnResponse is a shortcut for "ToHTTPCookie(); cookie.setDomain(domain); setCookie(w, cookie)"
-func (cookie *PBSCookie) SetCookieOnResponse(w http.ResponseWriter, cfg *config.HostCookie, ttl time.Duration) {
+func (cookie *PBSCookie) SetCookieOnResponse(w http.ResponseWriter, setSiteCookie bool, cfg *config.HostCookie, ttl time.Duration) {
 	httpCookie := cookie.ToHTTPCookie(ttl)
 	var domain string = cfg.Domain
 
@@ -187,7 +192,22 @@ func (cookie *PBSCookie) SetCookieOnResponse(w http.ResponseWriter, cfg *config.
 		}
 		currSize = len([]byte(httpCookie.String()))
 	}
-	http.SetCookie(w, httpCookie)
+
+	uidsCookieStr := httpCookie.String()
+	var sameSiteCookie *http.Cookie
+	if setSiteCookie {
+		uidsCookieStr += SameSiteAttribute
+		sameSiteCookie = &http.Cookie{
+			Name:    SameSiteCookieName,
+			Value:   SameSiteCookieValue,
+			Expires: time.Now().Add(ttl),
+			Path:    "/",
+		}
+		sameSiteCookieStr := sameSiteCookie.String()
+		sameSiteCookieStr += SameSiteAttribute
+		w.Header().Add("Set-Cookie", sameSiteCookieStr)
+	}
+	w.Header().Add("Set-Cookie", uidsCookieStr)
 }
 
 // Unsync removes the user's ID for the given family from this cookie.

usersync/cookie_test.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 
@@ -402,11 +403,41 @@ func newTestCookie() (*PBSCookie, int) {
 func writeThenRead(cookie *PBSCookie, maxCookieSize int) *PBSCookie {
 	w := httptest.NewRecorder()
 	hostCookie := &config.HostCookie{Domain: "mock-domain", MaxCookieSizeBytes: maxCookieSize}
-	cookie.SetCookieOnResponse(w, hostCookie, 90*24*time.Hour)
+	cookie.SetCookieOnResponse(w, false, hostCookie, 90*24*time.Hour)
 	writtenCookie := w.HeaderMap.Get("Set-Cookie")
 
 	header := http.Header{}
 	header.Add("Cookie", writtenCookie)
 	request := http.Request{Header: header}
 	return ParsePBSCookieFromRequest(&request, hostCookie)
 }
+
+func TestSetCookieOnResponseForSameSiteNone(t *testing.T) {
+	cookie := newSampleCookie()
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest("GET", "http://www.prebid.com", nil)
+	ua := "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36"
+	req.Header.Set("User-Agent", ua)
+	hostCookie := &config.HostCookie{Domain: "mock-domain", MaxCookieSizeBytes: 0}
+	cookie.SetCookieOnResponse(w, true, hostCookie, 90*24*time.Hour)
+	writtenCookie := w.HeaderMap.Get("Set-Cookie")
+	t.Log("Set-Cookie is: ", writtenCookie)
+	if !strings.Contains(writtenCookie, "SSCookie=1") {
+		t.Error("Set-Cookie should contain SSCookie=1")
+	}
+}
+
+func TestSetCookieOnResponseForOlderChromeVersion(t *testing.T) {
+	cookie := newSampleCookie()
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest("GET", "http://www.prebid.com", nil)
+	ua := "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3770.142 Safari/537.36"
+	req.Header.Set("User-Agent", ua)
+	hostCookie := &config.HostCookie{Domain: "mock-domain", MaxCookieSizeBytes: 0}
+	cookie.SetCookieOnResponse(w, false, hostCookie, 90*24*time.Hour)
+	writtenCookie := w.HeaderMap.Get("Set-Cookie")
+	t.Log("Set-Cookie is: ", writtenCookie)
+	if strings.Contains(writtenCookie, "SameSite=none") {
+		t.Error("Set-Cookie should not contain SameSite=none")
+	}
+}