Merge pull request #15052 from motooka/samesite-default-value

Samesite default value

src/Http/Middleware/CsrfProtectionMiddleware.php

@@ -207,7 +207,7 @@ class CsrfProtectionMiddleware
             '',
             (bool)$this->_config['secure'],
             (bool)$this->_config['httpOnly'],
-            $this->_config['samesite']
+            isset($this->_config['samesite']) ? $this->_config['samesite'] : $this->_defaultConfig['samesite']
         );
 
         return $response->withCookie($cookie);

tests/TestCase/Http/Middleware/CsrfProtectionMiddlewareTest.php

@@ -354,4 +354,35 @@ class CsrfProtectionMiddlewareTest extends TestCase
         $response = $middleware($request, $response, $this->_getNextClosure());
         $this->assertInstanceOf(Response::class, $response);
     }
+
+    /**
+     * Test the situation where the app is upgraded from 3.9.2 or earlier to 3.9.3 or later,
+     * without deleting route cache.
+     *
+     * @return void
+     */
+    public function testMissingSamesite()
+    {
+        $request = new ServerRequest([
+            'environment' => ['REQUEST_METHOD' => 'GET'],
+            'webroot' => '/dir/',
+        ]);
+        $response = new Response();
+
+        $closure = function ($request, $response) {
+        };
+
+        $middleware = new CsrfProtectionMiddleware();
+
+        // simulate 3.9.2 or earlier by deleting "samesite" config
+        $reflection = new \ReflectionClass($middleware);
+        $property = $reflection->getProperty('_config');
+        $property->setAccessible(true);
+        $defaultConfig = $property->getValue($middleware);
+        unset($defaultConfig['samesite']);
+        $property->setValue($middleware, $defaultConfig);
+
+        $middleware($request, $response, $closure);
+        $this->assertTrue(true);
+    }
 }