Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Impossible to distinguish between unspecified SameSite and SameSite=None #191

Closed
flotwig opened this issue Mar 26, 2020 · 1 comment · Fixed by #240
Closed

Impossible to distinguish between unspecified SameSite and SameSite=None #191

flotwig opened this issue Mar 26, 2020 · 1 comment · Fixed by #240
Assignees
@colincasey

Comments

@flotwig
Copy link

flotwig commented Mar 26, 2020
edited
Loading

Currently, both of these calls will result in a cookie with sameSite: 'none':

> tough.parse('foo=bar').sameSite
'none'
> tough.parse('foo=bar; SameSite=None').sameSite
'none'

This means we can't distinguish between SameSite=None and no SameSite declaration at all.

This causes problems when attempting to set a default SameSite that is not 'none'. For example, when trying to emulate the behavior of Chrome and Firefox (both of which are moving towards SameSite=Lax as the default for an unspecified SameSite attribute), it's impossible to tell if the default behavior should be applied, or if the Set-Cookie explicitly passed None, because both result in sameSite: 'none'.

For now, I'm using a workaround like this to determine if SameSite is really unspecified or if it's explicitly None:

const sameSiteNoneRe = /; +samesite=(?:'none'|"none"|none)/i
const cookie = tough.parse(setCookieHeader)
const hasUnspecifiedSameSite = cookie.sameSite === 'none' && !sameSiteNoneRe.test(setCookieHeader)
@ruoho ruoho self-assigned this May 18, 2020
@ShivanKaul
Copy link
Contributor

Hey @flotwig, this makes sense. We're going to work on this. Sorry for the delay!

@colincasey colincasey assigned colincasey and unassigned ruoho May 31, 2022
@colincasey colincasey mentioned this issue Jun 23, 2022
Merged
wjhsf pushed a commit that referenced this issue Feb 8, 2024
@ravijayaramappa
feat: prepare for spring21 release (#191) (#201)
c70cf78 
update lwc to 1.9.3-230.1 and @lwc/jest* to 9.0.0-230.0
update API version to 51.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@colincasey colincasey

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: distinguish between no samesite and samesite=none salesforce/tough-cookie
4 participants
@colincasey @ruoho @flotwig @ShivanKaul