allow explicit SameSite=None cookies

[robjtede]

Given the upcoming changes in Chrome to default SameSite-less cookies to Lax, we should allow the option to explicity set None cookies.

This could be considered non-breaking while Chrome's changes are still in beta.

It's also possible this change should be packported to 0.x and 1.x branches.

fixes #1035

[codecov]

Codecov Report

Merging #1282 into master will decrease coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1282      +/-   ##
==========================================
- Coverage   80.47%   80.46%   -0.02%     
==========================================
  Files         159      159              
  Lines       18541    18540       -1     
==========================================
- Hits        14921    14918       -3     
- Misses       3620     3622       +2

Impacted Files	Coverage Δ
actix-http/src/cookie/mod.rs	92.57% <100%> (-0.04%)	⬇️
actix-http/src/cookie/draft.rs	23.52% <100%> (-11.77%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 412e54c...464db0c. Read the comment docs.

[fafhrd91]

Could you add entry to changes.md
Also we should mention chia change in migration.md, technically this is breaking change

[robjtede]

IMHO this should not be considered a breaking change, but a bug fix. Anyone using .same_site(SameSite::None) and expecting the same behavior as not setting it has been relying on a bug.

[fafhrd91]

this is breaking change even if original behavior is wrong. we have to mention change in default behavior in migration.md

[robjtede]

the migration.md file mentions the change now

[codecov-io]

Codecov Report

Merging #1282 into master will decrease coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1282      +/-   ##
==========================================
- Coverage   80.47%   80.46%   -0.02%     
==========================================
  Files         159      159              
  Lines       18541    18540       -1     
==========================================
- Hits        14921    14918       -3     
- Misses       3620     3622       +2

Impacted Files	Coverage Δ
actix-http/src/cookie/mod.rs	92.57% <100%> (-0.04%)	⬇️
actix-http/src/cookie/draft.rs	23.52% <100%> (-11.77%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2e9ab06...8182fa0. Read the comment docs.

[cetra3]

There are more browsers than just chrome & there should be a way to have no samesite (existing behaviour) or a samesite with a value of None.

[robjtede]

@cetra3 omitting the call to set samesite will result in no samesite flag being sent in the set-cookie header

eg. most of the tests dont set it and pass without it being asserted

the issue is that None is being treated the same as Some(SameSite::None) which will be incorrect

[cetra3]

Ah right, I don't have an issue with it if that is the case (I.e, if it's not set there is no change in behaviour)

[JohnTitor]

Thanks!