From aa4396da7abcb2dbe607db7b31606f7dd0f45709 Mon Sep 17 00:00:00 2001 From: Colin Casey Date: Wed, 27 Jul 2022 14:53:02 -0300 Subject: [PATCH] fix: distinguish between no samesite and samesite=none (#240) * Adding some initial tests * fix: distinguish between no samesite and samesite=none --- lib/cookie.js | 16 ++++++++++------ test/parsing_test.js | 38 +++++++++++++++++++++++++++++++++----- test/same_site_test.js | 8 ++++---- 3 files changed, 47 insertions(+), 15 deletions(-) diff --git a/lib/cookie.js b/lib/cookie.js index 1136313d..862fe015 100644 --- a/lib/cookie.js +++ b/lib/cookie.js @@ -619,11 +619,11 @@ function parse(str, options) { case "lax": c.sameSite = "lax"; break; + case "none": + c.sameSite = "none"; + break; default: - // RFC6265bis-02 S5.3.7 step 1: - // "If cookie-av's attribute-value is not a case-insensitive match - // for "Strict" or "Lax", ignore the "cookie-av"." - // This effectively sets it to 'none' from the prototype. + c.sameSite = undefined; break; } break; @@ -807,7 +807,7 @@ const cookieDefaults = { pathIsDefault: null, creation: null, lastAccessed: null, - sameSite: "none" + sameSite: undefined }; class Cookie { @@ -1221,7 +1221,11 @@ class CookieJar { } // 6252bis-02 S5.4 Step 13 & 14: - if (cookie.sameSite !== "none" && sameSiteContext) { + if ( + cookie.sameSite !== "none" && + cookie.sameSite !== undefined && + sameSiteContext + ) { // "If the cookie's "same-site-flag" is not "None", and the cookie // is being set from a context whose "site for cookies" is not an // exact match for request-uri's host's registered domain, then diff --git a/test/parsing_test.js b/test/parsing_test.js index 5a9e944c..2db48131 100644 --- a/test/parsing_test.js +++ b/test/parsing_test.js @@ -158,8 +158,8 @@ vows "has max-age": function(c) { assert.equal(c.maxAge, 1234); }, - "has same-site 'none'": function(c) { - assert.equal(c.sameSite, "none"); + "has same-site 'undefined'": function(c) { + assert.equal(c.sameSite, undefined); }, "has extensions": function(c) { assert.ok(c.extensions); @@ -677,19 +677,47 @@ vows assert.equal(c.extensions, null); } }, - absent: { + none: { topic: function() { - return Cookie.parse("abc=xyzzy; SameSite=example.com") || null; + return Cookie.parse("abc=xyz; SameSite=NoNe") || null; }, parsed: function(c) { assert.ok(c); }, - "is set to 'none' (by prototype)": function(c) { + "is none (lowercased)": function(c) { assert.equal(c.sameSite, "none"); }, "no extensions": function(c) { assert.equal(c.extensions, null); } + }, + bad: { + topic: function() { + return Cookie.parse("abc=xyzzy; SameSite=example.com") || null; + }, + parsed: function(c) { + assert.ok(c); + }, + "is set to 'undefined'": function(c) { + assert.equal(c.sameSite, undefined); + }, + "no extensions": function(c) { + assert.equal(c.extensions, null); + } + }, + absent: { + topic: function() { + return Cookie.parse("abc=xyzzy;") || null; + }, + parsed: function(c) { + assert.ok(c); + }, + "is set to 'undefined'": function(c) { + assert.equal(c.sameSite, undefined); + }, + "no extensions": function(c) { + assert.equal(c.extensions, null); + } } }, "empty string": { diff --git a/test/same_site_test.js b/test/same_site_test.js index c43b3f4e..e7230fc1 100644 --- a/test/same_site_test.js +++ b/test/same_site_test.js @@ -124,9 +124,9 @@ vows topic: function(options) { this.callSetCookie("garbage", options, this.callback); }, - "treated as 'none'": function(err, cookie) { + "treated as 'undefined'": function(err, cookie) { assert.isNull(err); - assert.equal(cookie.sameSite, "none"); + assert.equal(cookie.sameSite, undefined); } }, "for strict cookie": { @@ -151,9 +151,9 @@ vows topic: function(options) { this.callSetCookie("normal", options, this.callback); }, - "treated as 'none'": function(err, cookie) { + "treated as 'undefined'": function(err, cookie) { assert.isNull(err); - assert.equal(cookie.sameSite, "none"); + assert.equal(cookie.sameSite, undefined); } } },