SameSite support - Githubissues

voltace / browser-cookies

Tiny cookies library for the browser

The Unlicense

89 stars 19 forks source link

SameSite support #11

Closed crstffr closed 6 years ago

crstffr commented 7 years ago

It would be great to have support for the SameSite option.

https://www.owasp.org/index.php/SameSite

https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1

voltace commented 7 years ago

Thanks for sharing, I wasn't familiar with the SameSite spec yet. I agree it would be nice to support this feature, the only reservation I have is that the spec is still in Draft state. Do you have any insight into whether the SameSite functionality is likely to be consolidated into RFC6265 and adopted by the major browser vendor?

Perhaps support for SameSite (Strict+Lax) could be added to this project with a disclaimer that this is an experimental feature.

crstffr commented 7 years ago

That's a good point. I have no extra knowledge of it's future adoption than what is readily available via searching. I understand if you don't wish to add draft features to your library.

voltace commented 7 years ago

Then I'll propose to add SameSite support as an experimental feature to this library, by which I mean:

The functionality may be subject to change as the specification hasn't been finalized yet.
The functionality will not be recommended for production use.
The functionality may be removed if SameSite doesn't gain popularity,
else if SameSite does gain popularity it will be made a permanent feature of this library once the spec gets promoted to standards track.

Is this OK?

crstffr commented 7 years ago

That sounds reasonable. Thanks for looking into it.

voltace commented 7 years ago

I've added support for SameSite. To enable SameSite the samesite option needs to be set to desired enforcement mode (i.e. "Strict" or "Lax").

Name	Type	Default	Description
`samesite`	`String`	`""`	The `samesite` argument may be used to prevent cookies from being sent along with cross-site requests. If set to `""` the SameSite feature will not be used. If set to `"Strict"` the cookie will only be sent along with "same-site" requests. If set to `"Lax"` the cookie will be sent with "same-site" requests and with "cross-site" top-level navigations. This is an experimental feature as only a few browsers support SameSite and the standard has not been finalized yet. Don't use this feature in production environments.

crstffr commented 7 years ago

That looks great!

JaneX8 commented 7 years ago

Nice work @voltace :) See also: http://caniuse.com/#feat=same-site-cookie-attribute. Let's hope for wider browser support soon to upgrade it's status from experimental ;).

Firefox is currently considering: https://bugzilla.mozilla.org/show_bug.cgi?id=1351663