From 21271cb6cd0eb936d8ced288ddee89fc09ba2a3a Mon Sep 17 00:00:00 2001 From: Lloyd Brookes Date: Thu, 25 Jul 2024 13:42:57 +0300 Subject: [PATCH] remove 'SameSite=none' together with 'secure'. Fixes #14 --- index.js | 8 +++++- test/remote.js | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index 3df3398..fc1a5e4 100644 --- a/index.js +++ b/index.js @@ -139,7 +139,13 @@ function proxyRequest (route, mw, lws) { /* On insecure connections, remove `secure` attribute from remote cookies */ const setCookies = remoteRes.headers['set-cookie'] if (!ctx.req.socket.encrypted && !lws.config.rewriteKeepSecureAttr && setCookies && setCookies.length) { - const cookies = setCookies.map(c => util.removeCookieAttribute(c, 'secure')) + const cookies = setCookies.map(c => { + let result = util.removeCookieAttribute(c, 'secure') + if (/samesite=none/.test(result)) { + result = util.removeCookieAttribute(result, 'samesite=none') + } + return result + }) remoteRes.headers['set-cookie'] = cookies } diff --git a/test/remote.js b/test/remote.js index e170849..1b0e184 100644 --- a/test/remote.js +++ b/test/remote.js @@ -273,6 +273,39 @@ tom.test('GET HTTPS, secure cookie attribute set - remove it', async function () } }, { timeout: 120000 }) +tom.test('GET HTTPS, `secure` and `SameSite=none` attributes set - remove them both', async function () { + class SecureCookie { + middleware (config, lws) { + return function (ctx, next) { + const secure = true + ctx.cookies.set('test', 'one', { secure, sameSite: 'none' }) + ctx.body = 'test' + } + } + } + const remotePort = 10000 + this.index + const remoteLws = await Lws.create({ + port: remotePort, + https: true, + stack: [SecureCookie] + }) + + const port = 8100 + this.index + const lws = await Lws.create({ + port, + stack: [Rewrite, Static], + rewrite: { from: '/', to: `https://localhost:${remotePort}/` } + }) + try { + const response = await fetch(`http://localhost:${port}/`) + a.strictEqual(response.status, 200) + a.strictEqual(response.headers.get('set-cookie'), 'test=one; path=/; httponly') + } finally { + lws.server.close() + remoteLws.server.close() + } +}, { timeout: 120000 }) + tom.test('GET HTTPS, --rewrite.keep-secure-attr', async function () { class SecureCookie { middleware (config, lws) { @@ -342,4 +375,39 @@ tom.test('GET HTTPS, --rewrite.keep-secure-attr, multiple cookies', async functi } }, { timeout: 120000 }) +tom.test('GET HTTPS, --rewrite.keep-secure-attr keeps sameSite value too, multiple cookies', async function () { + class SecureCookie { + middleware (config, lws) { + return function (ctx, next) { + const secure = true + ctx.cookies.set('test', 'one', { secure, sameSite: 'none' }) + ctx.cookies.set('test2', 'two', { secure, sameSite: 'none' }) + ctx.body = 'test' + } + } + } + const remotePort = 10000 + this.index + const remoteLws = await Lws.create({ + port: remotePort, + https: true, + stack: [SecureCookie] + }) + + const port = 8100 + this.index + const lws = await Lws.create({ + port, + stack: [Rewrite, Static], + rewrite: { from: '/', to: `https://localhost:${remotePort}/` }, + rewriteKeepSecureAttr: true + }) + try { + const response = await fetch(`http://localhost:${port}/`) + a.strictEqual(response.status, 200) + a.strictEqual(response.headers.get('set-cookie'), 'test=one; path=/; samesite=none; secure; httponly, test2=two; path=/; samesite=none; secure; httponly') + } finally { + lws.server.close() + remoteLws.server.close() + } +}, { timeout: 120000 }) + export default tom