New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SameSite Cookies #128
SameSite Cookies #128
Conversation
bf5a285
to
a870e53
Compare
Tried to take a look this evening; a bit tired out. I'll pick it up tomorrow and see if I can get this sorted for you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should consider what the draft says about the Same-Site attribute, and whether it being set to 'none' or Null will cause the cookie to be ignored.
4.1.2.7. The SameSite Attribute
The "SameSite" attribute limits the scope of the cookie such that it
will only be attached to requests if those requests are same-site, as
defined by the algorithm in Section 5.2. For example, requests for
"https://example.com/sekrit-image" will attach same-site cookies if
and only if initiated from a context whose "site for cookies" is
"example.com".
If the "SameSite" attribute's value is "Strict", the cookie will only
be sent along with "same-site" requests. If the value is "Lax", the
cookie will be sent with same-site requests, and with "cross-site"
top-level navigations, as described in Section 5.3.7.1. If the
"SameSite" attribute's value is neither of these, the cookie will be
ignored.
if (value === 'none' || value === 'lax' || value === 'strict') { | ||
return value; | ||
} else { | ||
return null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we return 'none' here instead of null? Null will have the same effect as none, on the cookie, but it since we support none, as a a value, it seems more consistent.
If the "SameSite" attribute's value is "Strict", the cookie will only
be sent along with "same-site" requests. If the value is "Lax", the
cookie will be sent with same-site requests, and with "cross-site"
top-level navigations, as described in Section 5.3.7.1. If the
"SameSite" attribute's value is neither of these, the cookie will be
ignored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The intent of null
here is simply that it wasn't one of the three valid values. It also forces the value to lowercase for checking in other parts of the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@awaterma Check out the two calls to this method; it's just used to branch into returning an Error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry about that; I think you're definitely right about the return value.
@@ -725,6 +753,7 @@ Cookie.prototype.domain = null; | |||
Cookie.prototype.path = null; | |||
Cookie.prototype.secure = false; | |||
Cookie.prototype.httpOnly = false; | |||
Cookie.prototype.sameSite = "none"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be set? Won't setting this to 'none' make the cookie ignored by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should stick a comment on this about this step in Section 5.4:
- If the cookie-attribute-list contains an attribute with an
attribute-name of "SameSite", set the cookie's same-site-flag to
attribute-value (i.e. either "Strict" or "Lax"). Otherwise, set
the cookie's same-site-flag to "None".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nevermind, have that in the code below already.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that. :) No worries.
I may be misreading the RFC. But I think it merits some discussion. |
@awaterma I re-read your comments and I think this is good to go as-is. Left a comment. Let me know if that makes sense. |
Approved during meeting today (I had no further changes)
What's the status of this PR? |
@TimothyGu -- unchanged. I think @ShivanKaul will take a look sometime soon. |
@TimothyGu - it was good to go until another PR got merged :D I'll resolve conflicts and merge this week. |
Support for
SameSite
cookies, see #80 and also the other 6265bis issues.