express_error { error:
TypeError: option sameSite is invalid
at Object.serialize (/home/me/myapp/node_modules/cookie/index.js:174:15)
at setCookie (/home/me/myapp/node_modules/csurf/index.js:246:21)
at setSecret (/home/me/myapp/node_modules/csurf/index.js:275:5)
at csrf (/home/me/myapp/node_modules/csurf/index.js:107:7)
at /home/me/myapp/mytest.js:117:9
I believe this is because cookie@0.3.1 does not support none as a valid value for the sameSite option. cookie@0.4.0 has added this support [1].
Other projects that depend on cookie have upgraded to cookie@0.4.0. For example, express-session [2].
SameSite=None is a valid cookie attribute [3] and with the change in Chrome 80 in how SameSite is defaulted [4], setting SameSite=None is a needed feature in csurf.
Thank you for opening this issue. I did miss updating it on this middleware project. I will get a new release of csurf today for you (and everyone else).
Currently the following code:
Throws the following error:
I believe this is because
cookie@0.3.1
does not supportnone
as a valid value for thesameSite
option.cookie@0.4.0
has added this support [1].Other projects that depend on
cookie
have upgraded tocookie@0.4.0
. For example,express-session
[2].SameSite=None
is a valid cookie attribute [3] and with the change in Chrome 80 in howSameSite
is defaulted [4], settingSameSite=None
is a needed feature incsurf
.[1] https://github.com/jshttp/cookie/releases/tag/v0.4.0 [2] https://github.com/expressjs/session/releases/tag/v1.17.0 [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie [4] https://www.chromium.org/updates/same-site