fix: distinguish between no samesite and samesite=none (#240)

colincasey · web-flow · commit aa4396da7abc · 2022-07-27T10:53:02.000-07:00
* Adding some initial tests
* fix: distinguish between no samesite and samesite=none
diff --git a/lib/cookie.js b/lib/cookie.js
@@ -619,11 +619,11 @@ function parse(str, options) {
           case "lax":
             c.sameSite = "lax";
             break;
+          case "none":
+            c.sameSite = "none";
+            break;
           default:
-            // RFC6265bis-02 S5.3.7 step 1:
-            // "If cookie-av's attribute-value is not a case-insensitive match
-            //  for "Strict" or "Lax", ignore the "cookie-av"."
-            // This effectively sets it to 'none' from the prototype.
+            c.sameSite = undefined;
             break;
         }
         break;
@@ -807,7 +807,7 @@ const cookieDefaults = {
   pathIsDefault: null,
   creation: null,
   lastAccessed: null,
-  sameSite: "none"
+  sameSite: undefined
 };
 
 class Cookie {
@@ -1221,7 +1221,11 @@ class CookieJar {
     }
 
     // 6252bis-02 S5.4 Step 13 & 14:
-    if (cookie.sameSite !== "none" && sameSiteContext) {
+    if (
+      cookie.sameSite !== "none" &&
+      cookie.sameSite !== undefined &&
+      sameSiteContext
+    ) {
       // "If the cookie's "same-site-flag" is not "None", and the cookie
       //  is being set from a context whose "site for cookies" is not an
       //  exact match for request-uri's host's registered domain, then
diff --git a/test/parsing_test.js b/test/parsing_test.js
@@ -158,8 +158,8 @@ vows
       "has max-age": function(c) {
         assert.equal(c.maxAge, 1234);
       },
-      "has same-site 'none'": function(c) {
-        assert.equal(c.sameSite, "none");
+      "has same-site 'undefined'": function(c) {
+        assert.equal(c.sameSite, undefined);
       },
       "has extensions": function(c) {
         assert.ok(c.extensions);
@@ -677,19 +677,47 @@ vows
           assert.equal(c.extensions, null);
         }
       },
-      absent: {
+      none: {
         topic: function() {
-          return Cookie.parse("abc=xyzzy; SameSite=example.com") || null;
+          return Cookie.parse("abc=xyz; SameSite=NoNe") || null;
         },
         parsed: function(c) {
           assert.ok(c);
         },
-        "is set to 'none' (by prototype)": function(c) {
+        "is none (lowercased)": function(c) {
           assert.equal(c.sameSite, "none");
         },
         "no extensions": function(c) {
           assert.equal(c.extensions, null);
         }
+      },
+      bad: {
+        topic: function() {
+          return Cookie.parse("abc=xyzzy; SameSite=example.com") || null;
+        },
+        parsed: function(c) {
+          assert.ok(c);
+        },
+        "is set to 'undefined'": function(c) {
+          assert.equal(c.sameSite, undefined);
+        },
+        "no extensions": function(c) {
+          assert.equal(c.extensions, null);
+        }
+      },
+      absent: {
+        topic: function() {
+          return Cookie.parse("abc=xyzzy;") || null;
+        },
+        parsed: function(c) {
+          assert.ok(c);
+        },
+        "is set to 'undefined'": function(c) {
+          assert.equal(c.sameSite, undefined);
+        },
+        "no extensions": function(c) {
+          assert.equal(c.extensions, null);
+        }
       }
     },
     "empty string": {
diff --git a/test/same_site_test.js b/test/same_site_test.js
@@ -124,9 +124,9 @@ vows
           topic: function(options) {
             this.callSetCookie("garbage", options, this.callback);
           },
-          "treated as 'none'": function(err, cookie) {
+          "treated as 'undefined'": function(err, cookie) {
             assert.isNull(err);
-            assert.equal(cookie.sameSite, "none");
+            assert.equal(cookie.sameSite, undefined);
           }
         },
         "for strict cookie": {
@@ -151,9 +151,9 @@ vows
           topic: function(options) {
             this.callSetCookie("normal", options, this.callback);
           },
-          "treated as 'none'": function(err, cookie) {
+          "treated as 'undefined'": function(err, cookie) {
             assert.isNull(err);
-            assert.equal(cookie.sameSite, "none");
+            assert.equal(cookie.sameSite, undefined);
           }
         }
       },
