Merge branch 'MC-38365' of github.com:magento-cia/magento2ce into cia-2.3.7-1152021

Author: admanesachin

app/code/Magento/Checkout/view/frontend/web/js/sidebar.js

@@ -64,11 +64,14 @@ define([
             events['click ' + this.options.button.checkout] = $.proxy(function () {
                 var cart = customerData.get('cart'),
                     customer = customerData.get('customer'),
+                    cookieOptions = {
+                        samesite: 'lax'
+                    },
                     element = $(this.options.button.checkout);
 
                 if (!customer().firstname && cart().isGuestCheckoutAllowed === false) {
                     // set URL for redirect on successful login/registration. It's postprocessed on backend.
-                    $.cookie('login_redirect', this.options.url.checkout);
+                    $.cookie('login_redirect', this.options.url.checkout, cookieOptions);
 
                     if (this.options.url.isRedirectRequired) {
                         element.prop('disabled', true);

app/code/Magento/Cookie/view/base/web/js/jquery.storageapi.extended.js

@@ -18,6 +18,7 @@ define([
     function _extend(storage) {
         $.extend(storage, {
             _secure: window.cookiesConfig ? window.cookiesConfig.secure : false,
+            _samesite: window.cookiesConfig ? window.cookiesConfig.samesite : 'lax',
 
             /**
              * Set value under name
@@ -30,7 +31,8 @@ define([
                     expires: this._expires,
                     path: this._path,
                     domain: this._domain,
-                    secure: this._secure
+                    secure: this._secure,
+                    samesite: this._samesite
                 };
 
                 $.cookie(this._prefix + name, value, $.extend(_default, options || {}));
@@ -58,6 +60,10 @@ define([
                     this._secure = c.secure;
                 }
 
+                if (typeof c.samesite !== 'undefined') {
+                    this._samesite = c.samesite;
+                }
+
                 return this;
             }
         });

app/code/Magento/Customer/view/frontend/web/js/customer-data.js

@@ -32,7 +32,8 @@ define([
     //TODO: remove global change, in this case made for initNamespaceStorage
     $.cookieStorage.setConf({
         path: '/',
-        expires: 1
+        expires: 1,
+        samesite: 'lax'
     });
 
     storage = $.initNamespaceStorage('mage-cache-storage').localStorage;

app/code/Magento/PageCache/Plugin/RegisterFormKeyFromCookie.php

@@ -96,6 +96,7 @@ private function updateCookieFormKey(string $formKey): void
         $cookieMetadata->setDomain($this->sessionConfig->getCookieDomain());
         $cookieMetadata->setPath($this->sessionConfig->getCookiePath());
         $cookieMetadata->setSecure($this->sessionConfig->getCookieSecure());
+        $cookieMetadata->setSameSite('Lax');
         $lifetime = $this->sessionConfig->getCookieLifetime();
         if ($lifetime !== 0) {
             $cookieMetadata->setDuration($lifetime);

app/code/Magento/Persistent/Model/Session.php

@@ -12,6 +12,7 @@
  * @method int getCustomerId()
  * @method Session setCustomerId()
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  * @since 100.0.2
  */
 class Session extends \Magento\Framework\Model\AbstractModel
@@ -391,7 +392,8 @@ private function setCookie($value, $duration, $path)
             ->setDuration($duration)
             ->setPath($path)
             ->setSecure($this->getRequest()->isSecure())
-            ->setHttpOnly(true);
+            ->setHttpOnly(true)
+            ->setSameSite('Lax');
         $this->_cookieManager->setPublicCookie(
             self::COOKIE_NAME,
             $value,

app/code/Magento/Persistent/Test/Unit/Model/SessionTest.php

@@ -3,42 +3,58 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Persistent\Test\Unit\Model;
 
-class SessionTest extends \PHPUnit\Framework\TestCase
+use Magento\Framework\App\Request\Http;
+use Magento\Framework\Model\ActionValidator\RemoveAction;
+use Magento\Framework\Model\Context;
+use Magento\Framework\Model\ResourceModel\Db\AbstractDb;
+use Magento\Framework\Session\Config\ConfigInterface;
+use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
+use Magento\Framework\Stdlib\Cookie\PublicCookieMetadata;
+use Magento\Framework\Stdlib\Cookie\SensitiveCookieMetadata;
+use Magento\Framework\Stdlib\CookieManagerInterface;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Persistent\Model\Session;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+
+class SessionTest extends TestCase
 {
     /**
-     * @var \Magento\Persistent\Model\Session
+     * @var Session
      */
     protected $session;
 
     /**
-     * @var \Magento\Framework\Session\Config\ConfigInterface|\PHPUnit_Framework_MockObject_MockObject
+     * @var ConfigInterface|MockObject
      */
     protected $configMock;
 
     /**
-     * @var \Magento\Framework\Stdlib\CookieManagerInterface |\PHPUnit_Framework_MockObject_MockObject
+     * @var CookieManagerInterface|MockObject
      */
     protected $cookieManagerMock;
 
     /**
-     * @var \Magento\Framework\Stdlib\Cookie\CookieMetadataFactory |\PHPUnit_Framework_MockObject_MockObject
+     * @var CookieMetadataFactory|MockObject
      */
     protected $cookieMetadataFactoryMock;
 
-    protected function setUp()
+    protected function setUp(): void
     {
-        $helper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
-        $this->configMock = $this->createMock(\Magento\Framework\Session\Config\ConfigInterface::class);
-        $this->cookieManagerMock = $this->createMock(\Magento\Framework\Stdlib\CookieManagerInterface::class);
+        $helper = new ObjectManager($this);
+        $this->configMock = $this->getMockForAbstractClass(ConfigInterface::class);
+        $this->cookieManagerMock = $this->getMockForAbstractClass(CookieManagerInterface::class);
         $this->cookieMetadataFactoryMock = $this->getMockBuilder(
-            \Magento\Framework\Stdlib\Cookie\CookieMetadataFactory::class
+            CookieMetadataFactory::class
         )->disableOriginalConstructor()
             ->getMock();
 
         $resourceMock = $this->getMockForAbstractClass(
-            \Magento\Framework\Model\ResourceModel\Db\AbstractDb::class,
+            AbstractDb::class,
             [],
             '',
             false,
@@ -47,24 +63,24 @@ protected function setUp()
             ['__wakeup', 'getIdFieldName', 'getConnection', 'beginTransaction', 'delete', 'commit', 'rollBack']
         );
 
-        $actionValidatorMock = $this->createMock(\Magento\Framework\Model\ActionValidator\RemoveAction::class);
-        $actionValidatorMock->expects($this->any())->method('isAllowed')->will($this->returnValue(true));
+        $actionValidatorMock = $this->createMock(RemoveAction::class);
+        $actionValidatorMock->expects($this->any())->method('isAllowed')->willReturn(true);
 
         $context = $helper->getObject(
-            \Magento\Framework\Model\Context::class,
+            Context::class,
             [
                 'actionValidator' => $actionValidatorMock,
             ]
         );
 
         $this->session = $helper->getObject(
-            \Magento\Persistent\Model\Session::class,
+            Session::class,
             [
                 'sessionConfig' => $this->configMock,
                 'cookieManager' => $this->cookieManagerMock,
                 'context'       => $context,
                 'cookieMetadataFactory' => $this->cookieMetadataFactoryMock,
-                'request' => $this->createMock(\Magento\Framework\App\Request\Http::class),
+                'request' => $this->createMock(Http::class),
                 'resource' => $resourceMock,
             ]
         );
@@ -74,8 +90,8 @@ public function testLoadByCookieKeyWithNull()
     {
         $this->cookieManagerMock->expects($this->once())
             ->method('getCookie')
-            ->with(\Magento\Persistent\Model\Session::COOKIE_NAME)
-            ->will($this->returnValue(null));
+            ->with(Session::COOKIE_NAME)
+            ->willReturn(null);
         $this->session->loadByCookieKey(null);
     }
 
@@ -85,23 +101,22 @@ public function testLoadByCookieKeyWithNull()
     public function testAfterDeleteCommit()
     {
         $cookiePath = 'some_path';
-        $this->configMock->expects($this->once())->method('getCookiePath')->will($this->returnValue($cookiePath));
-        $cookieMetadataMock = $this->getMockBuilder(\Magento\Framework\Stdlib\Cookie\SensitiveCookieMetadata::class)
+        $this->configMock->expects($this->once())->method('getCookiePath')->willReturn($cookiePath);
+        $cookieMetadataMock = $this->getMockBuilder(SensitiveCookieMetadata::class)
             ->disableOriginalConstructor()
             ->getMock();
         $cookieMetadataMock->expects($this->once())
             ->method('setPath')
-            ->with($cookiePath)
-            ->will($this->returnSelf());
+            ->with($cookiePath)->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->once())
             ->method('createSensitiveCookieMetadata')
-            ->will($this->returnValue($cookieMetadataMock));
+            ->willReturn($cookieMetadataMock);
         $this->cookieManagerMock->expects(
             $this->once()
         )->method(
             'deleteCookie'
         )->with(
-            \Magento\Persistent\Model\Session::COOKIE_NAME,
+            Session::COOKIE_NAME,
             $cookieMetadataMock
         );
         $this->session->afterDeleteCommit();
@@ -113,32 +128,31 @@ public function testSetPersistentCookie()
         $duration = 1000;
         $key = 'sessionKey';
         $this->session->setKey($key);
-        $cookieMetadataMock = $this->getMockBuilder(\Magento\Framework\Stdlib\Cookie\PublicCookieMetadata::class)
+        $cookieMetadataMock = $this->getMockBuilder(PublicCookieMetadata::class)
             ->disableOriginalConstructor()
             ->getMock();
         $cookieMetadataMock->expects($this->once())
             ->method('setPath')
-            ->with($cookiePath)
-            ->will($this->returnSelf());
+            ->with($cookiePath)->willReturnSelf();
         $cookieMetadataMock->expects($this->once())
             ->method('setDuration')
-            ->with($duration)
-            ->will($this->returnSelf());
+            ->with($duration)->willReturnSelf();
         $cookieMetadataMock->expects($this->once())
             ->method('setSecure')
-            ->with(false)
-            ->will($this->returnSelf());
+            ->with(false)->willReturnSelf();
         $cookieMetadataMock->expects($this->once())
             ->method('setHttpOnly')
-            ->with(true)
-            ->will($this->returnSelf());
+            ->with(true)->willReturnSelf();
+        $cookieMetadataMock->expects($this->once())
+            ->method('setSameSite')
+            ->with('Lax')->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->once())
             ->method('createPublicCookieMetadata')
-            ->will($this->returnValue($cookieMetadataMock));
+            ->willReturn($cookieMetadataMock);
         $this->cookieManagerMock->expects($this->once())
             ->method('setPublicCookie')
             ->with(
-                \Magento\Persistent\Model\Session::COOKIE_NAME,
+                Session::COOKIE_NAME,
                 $key,
                 $cookieMetadataMock
             );
@@ -160,36 +174,35 @@ public function testRenewPersistentCookie(
         $cookieValue = 'cookieValue',
         $cookiePath = 'cookiePath'
     ) {
-        $cookieMetadataMock = $this->getMockBuilder(\Magento\Framework\Stdlib\Cookie\PublicCookieMetadata::class)
+        $cookieMetadataMock = $this->getMockBuilder(PublicCookieMetadata::class)
             ->disableOriginalConstructor()
             ->getMock();
         $cookieMetadataMock->expects($this->exactly($numCalls))
             ->method('setPath')
-            ->with($cookiePath)
-            ->will($this->returnSelf());
+            ->with($cookiePath)->willReturnSelf();
         $cookieMetadataMock->expects($this->exactly($numCalls))
             ->method('setDuration')
-            ->with($cookieDuration)
-            ->will($this->returnSelf());
+            ->with($cookieDuration)->willReturnSelf();
         $cookieMetadataMock->expects($this->exactly($numCalls))
             ->method('setSecure')
-            ->with(false)
-            ->will($this->returnSelf());
+            ->with(false)->willReturnSelf();
         $cookieMetadataMock->expects($this->exactly($numCalls))
             ->method('setHttpOnly')
-            ->with(true)
-            ->will($this->returnSelf());
+            ->with(true)->willReturnSelf();
+        $cookieMetadataMock->expects($this->exactly($numCalls))
+            ->method('setSameSite')
+            ->with('Lax')->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->exactly($numCalls))
             ->method('createPublicCookieMetadata')
-            ->will($this->returnValue($cookieMetadataMock));
+            ->willReturn($cookieMetadataMock);
         $this->cookieManagerMock->expects($this->exactly($numGetCookieCalls))
             ->method('getCookie')
-            ->with(\Magento\Persistent\Model\Session::COOKIE_NAME)
-            ->will($this->returnValue($cookieValue));
+            ->with(Session::COOKIE_NAME)
+            ->willReturn($cookieValue);
         $this->cookieManagerMock->expects($this->exactly($numCalls))
             ->method('setPublicCookie')
             ->with(
-                \Magento\Persistent\Model\Session::COOKIE_NAME,
+                Session::COOKIE_NAME,
                 $cookieValue,
                 $cookieMetadataMock
             );

app/code/Magento/Sales/Helper/Guest.php

@@ -15,6 +15,7 @@
 /**
  * Sales module base helper
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  */
 class Guest extends \Magento\Framework\App\Helper\AbstractHelper
 {
@@ -71,7 +72,7 @@ class Guest extends \Magento\Framework\App\Helper\AbstractHelper
     const COOKIE_NAME = 'guest-view';
 
     /**
-     * Cookie path
+     * Cookie path value
      */
     const COOKIE_PATH = '/';
 
@@ -209,7 +210,8 @@ private function setGuestViewCookie($cookieValue)
     {
         $metadata = $this->cookieMetadataFactory->createPublicCookieMetadata()
             ->setPath(self::COOKIE_PATH)
-            ->setHttpOnly(true);
+            ->setHttpOnly(true)
+            ->setSameSite('Lax');
         $this->cookieManager->setPublicCookie(self::COOKIE_NAME, $cookieValue, $metadata);
     }
 
@@ -224,6 +226,7 @@ private function setGuestViewCookie($cookieValue)
      */
     private function loadFromCookie($fromCookie)
     {
+        // phpcs:ignore Magento2.Functions.DiscouragedFunction
         $cookieData = explode(':', base64_decode($fromCookie));
         $protectCode = isset($cookieData[0]) ? $cookieData[0] : null;
         $incrementId = isset($cookieData[1]) ? $cookieData[1] : null;

app/code/Magento/Sales/Test/Unit/Helper/GuestTest.php

@@ -159,6 +159,10 @@ public function testLoadValidOrderNotEmptyPost()
             ->method('setHttpOnly')
             ->with(true)
             ->willReturnSelf();
+        $metaDataMock->expects($this->once())
+            ->method('setSameSite')
+            ->with('Lax')
+            ->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->once())
             ->method('createPublicCookieMetadata')
             ->willReturn($metaDataMock);
@@ -190,6 +194,10 @@ public function testLoadValidOrderStoredCookie()
             ->method('setHttpOnly')
             ->with(true)
             ->willReturnSelf();
+        $metaDataMock->expects($this->once())
+            ->method('setSameSite')
+            ->with('Lax')
+            ->willReturnSelf();
         $this->cookieMetadataFactoryMock->expects($this->once())
             ->method('createPublicCookieMetadata')
             ->willReturn($metaDataMock);

app/code/Magento/Security/Model/SecurityCookie.php

@@ -10,6 +10,7 @@
 /**
  * Manager for a cookie with logout reason
  *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
  * @api
  * @since 100.1.0
  */
@@ -80,6 +81,7 @@ public function setLogoutReasonCookie($status)
     {
         $metaData = $this->createCookieMetaData();
         $metaData->setPath('/' . $this->backendData->getAreaFrontName());
+        $metaData->setSameSite('Strict');
 
         $this->phpCookieManager->setPublicCookie(
             self::LOGOUT_REASON_CODE_COOKIE_NAME,