feat(ngCookies): support samesite option

Closes #16543 Closes #16544
angular · May 17, 2018 · 10a229c · 10a229c
1 parent f9d1ca2
commit 10a229c
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/src/ngCookies/cookieWriter.js b/src/ngCookies/cookieWriter.js
@@ -33,6 +33,7 @@ function $$CookieWriter($document, $log, $browser) {
     str += options.domain ? ';domain=' + options.domain : '';
     str += expires ? ';expires=' + expires.toUTCString() : '';
     str += options.secure ? ';secure' : '';
+    str += options.samesite ? ';samesite=' + options.samesite : '';
 
     // per http://www.ietf.org/rfc/rfc2109.txt browser must allow at minimum:
     // - 300 cookies

diff --git a/src/ngCookies/cookies.js b/src/ngCookies/cookies.js
@@ -38,6 +38,10 @@ angular.module('ngCookies', ['ng']).
      *   or a Date object indicating the exact date/time this cookie will expire.
      * - **secure** - `{boolean}` - If `true`, then the cookie will only be available through a
      *   secured connection.
+     * - **samesite** - `{string}` - prevents the browser from sending the cookie along with cross-site requests.
+     *   Accepts the values `lax` and `strict`. See the [OWASP Wiki](https://www.owasp.org/index.php/SameSite)
+     *   for more info. Note that as of May 2018, not all browsers support `SameSite`,
+     *   so it cannot be used as a single measure against Cross-Site-Request-Forgery (CSRF) attacks.
      *
      * Note: By default, the address that appears in your `<base>` tag will be used as the path.
      * This is important so that cookies will be visible for all routes when html5mode is enabled.

diff --git a/test/ngCookies/cookieWriterSpec.js b/test/ngCookies/cookieWriterSpec.js
@@ -181,6 +181,16 @@ describe('cookie options', function() {
     expect(getLastCookieAssignment('secure')).toBe(true);
   });
 
+  it('should accept samesite option when value is lax', function() {
+    $$cookieWriter('name', 'value', {samesite: 'lax'});
+    expect(getLastCookieAssignment('samesite')).toBe('lax');
+  });
+
+  it('should accept samesite option when value is strict', function() {
+    $$cookieWriter('name', 'value', {samesite: 'strict'});
+    expect(getLastCookieAssignment('samesite')).toBe('strict');
+  });
+
   it('should accept expires option on set', function() {
     $$cookieWriter('name', 'value', {expires: 'Fri, 19 Dec 2014 00:00:00 GMT'});
     expect(getLastCookieAssignment('expires')).toMatch(/^Fri, 19 Dec 2014 00:00:00 (UTC|GMT)$/);