search

expressjs / csurf

CSRF token middleware
MIT License
2.3k stars 216 forks source link

Upgrade to cookie@0.4.0 for SameSite=None support #205

Closed naeims closed 4 years ago

naeims commented 4 years ago

Currently the following code:

    const csrf = csurf({
        cookie: {
            key: '_csrf',
            httpOnly: true,
            secure: true,
            sameSite: 'none',
        },
    });

Throws the following error:

express_error { error:
   TypeError: option sameSite is invalid
       at Object.serialize (/home/me/myapp/node_modules/cookie/index.js:174:15)
       at setCookie (/home/me/myapp/node_modules/csurf/index.js:246:21)
       at setSecret (/home/me/myapp/node_modules/csurf/index.js:275:5)
       at csrf (/home/me/myapp/node_modules/csurf/index.js:107:7)
       at /home/me/myapp/mytest.js:117:9

I believe this is because cookie@0.3.1 does not support none as a valid value for the sameSite option. cookie@0.4.0 has added this support [1].

Other projects that depend on cookie have upgraded to cookie@0.4.0. For example, express-session [2].

SameSite=None is a valid cookie attribute [3] and with the change in Chrome 80 in how SameSite is defaulted [4], setting SameSite=None is a needed feature in csurf.

[1] https://github.com/jshttp/cookie/releases/tag/v0.4.0 [2] https://github.com/expressjs/session/releases/tag/v1.17.0 [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie [4] https://www.chromium.org/updates/same-site

dougwilson commented 4 years ago

Thank you for opening this issue. I did miss updating it on this middleware project. I will get a new release of csurf today for you (and everyone else).