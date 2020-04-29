The module comes with:
A small utility function
isSameSiteNoneCompatible for detecting incompatible user agents (browsers) for the
SameSite=None cookie attribute.
A Express middleware
shouldSendSameSiteNone for automatically removing
SameSite=None from response header when reqesting client is incompatible with
SameSite=None. (Note: You are still responsible for adding the 'Secure' cookie attribute whenever applicable.)
With Chrome 80 in February 2020, Chrome will treat cookies that have no declared SameSite value as
SameSite=Lax cookies. Other browser vendors are expected to follow Google’s lead. (See this Blog Post).
If you manage cross-site cookies, you will need to apply the SameSite=None; Secure setting to those cookies. However, some browsers, including some versions of Chrome, Safari and UC Browser, might handle the None value in unintended ways, requiring developers to code exceptions for those clients.
isSameSiteNoneCompatible utility function detects incompatible user agents based on a list of known incompatible clients and returns
true if the given user-agent string is compatible with
SameSite=None cookie attribute.
For Express.js,
shouldSendSameSiteNone middleware automatically removes
SameSite=None from set-cookie response header when the reqesting client is incompatible with
SameSite=None.
isSameSiteNoneCompatible
import { isSameSiteNoneCompatible } from 'should-send-same-site-none';
const ua = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) ....';
if (isSameSiteNoneCompatible(ua)) {
console.log("Yes, the browser is compatible and we can set SameSite=None cookies");
}
shouldSendSameSiteNone
const express = require('express');
const { shouldSendSameSiteNone } = require('should-send-same-site-none');
const app = express();
// Apply middleware before routes
app.use(shouldSendSameSiteNone);
app.get('/', function (req, res) {
// Set cookie with SameSite='None' as needed;
res.cookie("foo", "bar", { sameSite: "none", secure: true });
res.send('hello world');
});
app.listen(3000);
npm run test
PASS ./index.test.js
✓ Test Chrome 50 @ Win10 (true) (4ms)
✓ Test Chrome 67 @ Win10 (true) (1ms)
✓ Test Chrome 60 @ IOS (true)
✓ Test Chrome @ Mac (true)
✓ Test UC Browser 12.13.2 @ Andriod (true) (1ms)
✓ Test UC Browser 12.13.4 @ Andriod (true)
✓ Test Safari @ Mac 13 (true)
✓ Test Safari @ Mac 15.5 (true) (1ms)
✓ Test Safari @ ios 13 (true)
✓ Test Chrome 51 (false)
✓ Test Chrome 52 @ Win 10 (false)
✓ Test Chrome 53 @ Win 10 (false)
✓ Test Chrome 54 (false)
✓ Test Chrome 55 @ Mac (false)
✓ Test Chrome 56 @ Linux (false) (1ms)
✓ Test Chrome 57 @ Win 7 (false)
✓ Test Chrome 58 @ Android (false)
✓ Test Chrome 59 @ Win7 (false)
✓ Test Chrome 60 @ Win10 (false) (1ms)
✓ Test Chrome 61 @ Win10 (false)
✓ Test Chrome 62 @ Win10 (false)
✓ Test Chrome 63 @ Win7 (false)
✓ Test Chrome 64 @ Win7 (false) (1ms)
✓ Test Chrome 65 (false)
✓ Test Chrome 66 @ Win10 (false)
✓ Test Chrome 66 Webview (false)
✓ Test UC Browser @ 10.7 (false)
✓ Test UC Browser 12 @ Android (false) (1ms)
✓ Test UC Browser 11.5 @ iOS 11 (false) (1ms)
✓ Test Safari @ Mac 10.14 (false) (1ms)
✓ Test Embeded @ Mac 10.4 (false)
✓ Test Safari @ iOS 12 (false)
✓ Test Chrome @ iOS 12 (false)
✓ Test Firefox @ iOS 12 (false)
The approach for detecting incompatible clients are taken from this update.
The following incompatible clients were accounted for at the time of writing:
SameSite=None. This also affects older versions of Chromium-derived browsers, as well as Android WebView. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in Chrome 67 and newer. (Prior to Chrome 51, the SameSite attribute was ignored entirely and all cookies were treated as if they were
SameSite=None.)
SameSite=None. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in newer versions of UC Browser.
SameSite=None as if they were marked
SameSite=Strict. This bug has been fixed on newer versions of iOS and MacOS.
Compatibilities of the following clients are unclear:
Please file an issue if additional incompatible clients are identified.