Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why sameSite=None is not added for toString method #378

Open
stefanbeigel opened this issue Mar 7, 2024 · 1 comment
Open

Why sameSite=None is not added for toString method #378

stefanbeigel opened this issue Mar 7, 2024 · 1 comment
Labels
6265bis Officially proposed changes to RFC 6265

Comments

@stefanbeigel
Copy link

stefanbeigel commented Mar 7, 2024

https://github.com/salesforce/tough-cookie/blob/master/lib/cookie/cookie.ts#L612

As far as I know chrome treats cookies with no SameSite attribute as SameSite=Lax.
So setting SameSite=None is not same as setting no SameSite.

So I wonder why it is not returned by the toString method.

@colincasey colincasey added the 6265bis Officially proposed changes to RFC 6265 label Mar 7, 2024
@colincasey
Copy link
Contributor

Good question @stefanbeigel. The SameSite attribute is not part of rfc6265 and instead comes from the active draft rfc6265bis. The SameSite implementation for tough-cookie was added in this commit which references version 2 of httpbis-rfc6265bis:

If the attribute-name case-insensitively matches the string
"SameSite", the user agent MUST process the cookie-av as follows:

  1. If cookie-av's attribute-value is not a case-insensitive match
    for "Strict" or "Lax", ignore the "cookie-av".

  2. Let "enforcement" be "Lax" if cookie-av's attribute-value is a
    case-insensitive match for "Lax", and "Strict" otherwise.

  3. Append an attribute to the cookie-attribute-list with an
    attribute-name of "SameSite" and an attribute-value of
    "enforcement".

But the steps above no longer match up with the latest version of rfc6265bis:

Let enforcement be "Default".

If cookie-av's attribute-value is a case-insensitive match for "None", set enforcement to "None".

If cookie-av's attribute-value is a case-insensitive match for "Strict", set enforcement to "Strict".

If cookie-av's attribute-value is a case-insensitive match for "Lax", set enforcement to "Lax".

Append an attribute to the cookie-attribute-list with an attribute-name of "SameSite" and an attribute-value of enforcement.

The current implementation should be corrected to match the text above.

For our 5.x release, we have been focused on porting over the previous JavaScript implementation so that it matches that behavior as accurately as possible (bugs and all) before working on improvements which is why the TypeScript code, though recently added, matches the earlier draft spec implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6265bis Officially proposed changes to RFC 6265
Projects
None yet
Development

No branches or pull requests

2 participants