support legacy cookies for samesite policy in iframe

[IArny]

Support plan

• which support plan is this issue covered by? (Community):
• is this issue currently blocking your project? (yes):
• is this issue affecting a production system? (yes):

Context

• node version: any
• module version: any
• environment : node/browser
• used with : hapi application
• any other relevant information:

What problem are you trying to solve?

I faced with a problem using crumb plugin in application which embed in another app via iframe. As you can know chrome 80 is going to change cookie policy (https://www.chromestatus.com/feature/5088147346030592). And cookie from third parties will not been sended.

Now we are sending csrf cookie on HTTP host with such settings:

cookieOptions: {
                    isSecure: false,
                    isHttpOnly: false,
                    isSameSite: false,
                    path: config.client.contextRoot
                }

in new chrome we need update host to HTTPS and settings to:

cookieOptions: {
                    isSecure: true,
                    path: contextRoot,
                    isSameSite: 'None',
                    isHttpOnly: false
                }

But we still need to support some browsers who doesn't support SameSite: 'None' ( Safari ). So, we need a way to set two different cookies for new and legacy browsers.

Do you have a new or modified API suggestion to solve the problem?

We have updated our cookie in such way:

// cookie settings for legacy browsers
const cookieParamsLegacy = {
                    isSecure: false,
                    path: contextRoot,
                    isSameSite: false,
                    isHttpOnly: false
                };

// cookie settings for new browsers
                const cookieParams = {
                    isSecure: true,
                    path: contextRoot,
                    isSameSite: 'None',
                    isHttpOnly: false
                };

// and then we return both cookies, 
return h
                    .redirect(path.join('/', contextRoot, request.path))
                    // Legacy cookies
                    .state('tokenLegacy', tokenParam, cookieParamsLegacy)
                    // New cookies
                    .state('token', tokenParam, cookieParams)
                    .takeover();

It will be useful if plugin will provide some options for callbacks which will recieve h.state and crumb. Using this callbacks we can replace current cookie installation method (https://github.com/hapijs/crumb/blob/2dd9dca7b29481e9d4043283aeb9320d6f7aafa3/lib/index.js#L215) and cookie get method (https://github.com/hapijs/crumb/blob/2dd9dca7b29481e9d4043283aeb9320d6f7aafa3/lib/index.js#L115).

[hueniverse]

This is addressed in hapi v19 coming in the next week or so.