search

davidmoreno / onion

C library to create simple HTTP servers and Web Applications.
http://www.coralbits.com/libonion/
Other
2.01k stars 250 forks source link

Any plans on supporting "SameSite" cookie? #281

Closed IronBlood closed 3 years ago

IronBlood commented 3 years ago

There's an example of SameSite attribute on MDN

Set-Cookie: mykey=myvalue; SameSite=Strict

Right now it's still in draft stage of RFC 6265, but most major browsers (except IE) have already support this attribute, according to MDN's browser compatibility.

I'd like to create a PR if this proposal sounds good to you. Looks like an easy one, with a few more onion_response_flags and more outputs with onion_response_add_cookie, and of course the tests.

davidmoreno commented 3 years ago

Sounds perfect for me.

The use of the onion_response_flags is, I guess, to force all cookies SameSite. If so, i think that just adding a flag to onion_response_add_cookie would be a perfect first approximation.

IronBlood commented 3 years ago

I would like to offer multiple choices as whatever ppl like to use, like:

onion_response_add_cookie(..., OC_HTTP_ONLY | OC_SECURE | OC_SAMESITE_NONE);
// or
onion_response_add_cookie(..., OC_HTTP_ONLY | OC_SECURE | OC_SAMESITE_STRICT);

If none of the OC_SAMESITE_* flags is used, there'll be no changes to cookies.