Skip to content

Commit

Permalink
remove 'SameSite=none' together with 'secure'. Fixes #14
Browse files Browse the repository at this point in the history
  • Loading branch information
75lb committed Jul 25, 2024
1 parent 6376ae8 commit 21271cb
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 1 deletion.
8 changes: 7 additions & 1 deletion index.js
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,13 @@ function proxyRequest (route, mw, lws) {
/* On insecure connections, remove `secure` attribute from remote cookies */
const setCookies = remoteRes.headers['set-cookie']
if (!ctx.req.socket.encrypted && !lws.config.rewriteKeepSecureAttr && setCookies && setCookies.length) {
const cookies = setCookies.map(c => util.removeCookieAttribute(c, 'secure'))
const cookies = setCookies.map(c => {
let result = util.removeCookieAttribute(c, 'secure')
if (/samesite=none/.test(result)) {
result = util.removeCookieAttribute(result, 'samesite=none')
}
return result
})
remoteRes.headers['set-cookie'] = cookies
}

Expand Down
68 changes: 68 additions & 0 deletions test/remote.js
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,39 @@ tom.test('GET HTTPS, secure cookie attribute set - remove it', async function ()
}
}, { timeout: 120000 })

tom.test('GET HTTPS, `secure` and `SameSite=none` attributes set - remove them both', async function () {
class SecureCookie {
middleware (config, lws) {
return function (ctx, next) {
const secure = true
ctx.cookies.set('test', 'one', { secure, sameSite: 'none' })
ctx.body = 'test'
}
}
}
const remotePort = 10000 + this.index
const remoteLws = await Lws.create({
port: remotePort,
https: true,
stack: [SecureCookie]
})

const port = 8100 + this.index
const lws = await Lws.create({
port,
stack: [Rewrite, Static],
rewrite: { from: '/', to: `https://localhost:${remotePort}/` }
})
try {
const response = await fetch(`http://localhost:${port}/`)
a.strictEqual(response.status, 200)
a.strictEqual(response.headers.get('set-cookie'), 'test=one; path=/; httponly')
} finally {
lws.server.close()
remoteLws.server.close()
}
}, { timeout: 120000 })

tom.test('GET HTTPS, --rewrite.keep-secure-attr', async function () {
class SecureCookie {
middleware (config, lws) {
Expand Down Expand Up @@ -342,4 +375,39 @@ tom.test('GET HTTPS, --rewrite.keep-secure-attr, multiple cookies', async functi
}
}, { timeout: 120000 })

tom.test('GET HTTPS, --rewrite.keep-secure-attr keeps sameSite value too, multiple cookies', async function () {
class SecureCookie {
middleware (config, lws) {
return function (ctx, next) {
const secure = true
ctx.cookies.set('test', 'one', { secure, sameSite: 'none' })
ctx.cookies.set('test2', 'two', { secure, sameSite: 'none' })
ctx.body = 'test'
}
}
}
const remotePort = 10000 + this.index
const remoteLws = await Lws.create({
port: remotePort,
https: true,
stack: [SecureCookie]
})

const port = 8100 + this.index
const lws = await Lws.create({
port,
stack: [Rewrite, Static],
rewrite: { from: '/', to: `https://localhost:${remotePort}/` },
rewriteKeepSecureAttr: true
})
try {
const response = await fetch(`http://localhost:${port}/`)
a.strictEqual(response.status, 200)
a.strictEqual(response.headers.get('set-cookie'), 'test=one; path=/; samesite=none; secure; httponly, test2=two; path=/; samesite=none; secure; httponly')
} finally {
lws.server.close()
remoteLws.server.close()
}
}, { timeout: 120000 })

export default tom

0 comments on commit 21271cb

Please sign in to comment.