Samesite is not being respected

Question

Samesite is not being respected

Negan1911 opened this issue a year ago · 1 comments

Negan1911 commented a year ago

Describe the bug

To Reproduce Steps to reproduce the behavior:

Set a cookie as follows:

await request.cookieStore.set({
  name: 'your_name',
  secure: true,
  sameSite: 'none',
  expires: Date.now() + expiresIn,
  domain: process.env.DOMAIN || 'localhost',
  value: 'your_value',
})

Expected behavior

The cookie should be set with SameSite=None; Secure. But instead, when "Secure" is being applied, it's always forced to be "Lax" instead (https://github.com/ardatan/whatwg-node/blob/master/packages/cookie-store/src/getCookieString.ts#L22), this invalidates many uses cases like hosting the backend on any other domain than the frontend.

Environment:

OS: MacOS
package-name...: @whatwg-node/server-plugin-cookies
NodeJS: v18.15.0

Additional context

Answer 1 · 2023-07-14T15:32:55.000Z

Merged and released! Thanks for your PR!