From fac05de8dfa77d722dac5237f0d8c54b6e0222ac Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Fri, 17 May 2019 15:24:31 +0200
Subject: [PATCH] Support "none" in sameSite option

closes #109
closes #111
---
 HISTORY.md     | 1 +
 index.js       | 4 ++--
 test/cookie.js | 7 +++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/HISTORY.md b/HISTORY.md
index a2a021b..7b8bf48 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -3,6 +3,7 @@ unreleased
 
   * Fix check for default `secure` option behavior
   * Fix `maxAge` option preventing cookie deletion
+  * Support `"none"` in `sameSite` option
   * deps: depd@~2.0.0
     - Replace internal `eval` usage with `Function` constructor
     - Use instance methods on `process` to check for listeners
diff --git a/index.js b/index.js
index 17f0157..3dd6728 100644
--- a/index.js
+++ b/index.js
@@ -26,7 +26,7 @@ var fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/;
  * RegExp to match Same-Site cookie attribute value.
  */
 
-var sameSiteRegExp = /^(?:lax|strict)$/i
+var SAME_SITE_REGEXP = /^(?:lax|none|strict)$/i
 
 function Cookies(request, response, options) {
   if (!(this instanceof Cookies)) return new Cookies(request, response, options)
@@ -146,7 +146,7 @@ function Cookie(name, value, attrs) {
     throw new TypeError('option domain is invalid');
   }
 
-  if (this.sameSite && this.sameSite !== true && !sameSiteRegExp.test(this.sameSite)) {
+  if (this.sameSite && this.sameSite !== true && !SAME_SITE_REGEXP.test(this.sameSite)) {
     throw new TypeError('option sameSite is invalid')
   }
 }
diff --git a/test/cookie.js b/test/cookie.js
index 347c2e8..b966d01 100644
--- a/test/cookie.js
+++ b/test/cookie.js
@@ -95,6 +95,13 @@ describe('new Cookie(name, value, [options])', function () {
         })
       })
 
+      describe('when set to "none"', function () {
+        it('should set "samesite=none" attribute in header', function () {
+          var cookie = new cookies.Cookie('foo', 'bar', { sameSite: 'none' })
+          assert.equal(cookie.toHeader(), 'foo=bar; path=/; samesite=none; httponly')
+        })
+      })
+
       describe('when set to "strict"', function () {
         it('should set "samesite=strict" attribute in header', function () {
           var cookie = new cookies.Cookie('foo', 'bar', { sameSite: 'strict' })