Closed IronBlood closed 3 years ago
Sounds perfect for me.
The use of the onion_response_flags is, I guess, to force all cookies SameSite. If so, i think that just adding a flag to onion_response_add_cookie would be a perfect first approximation.
I would like to offer multiple choices as whatever ppl like to use, like:
onion_response_add_cookie(..., OC_HTTP_ONLY | OC_SECURE | OC_SAMESITE_NONE);
// or
onion_response_add_cookie(..., OC_HTTP_ONLY | OC_SECURE | OC_SAMESITE_STRICT);
If none of the OC_SAMESITE_*
flags is used, there'll be no changes to cookies.
There's an example of
SameSite
attribute on MDNRight now it's still in draft stage of RFC 6265, but most major browsers (except IE) have already support this attribute, according to MDN's browser compatibility.
I'd like to create a PR if this proposal sounds good to you. Looks like an easy one, with a few more
onion_response_flags
and more outputs withonion_response_add_cookie
, and of course the tests.