Samesite is not being respected
Negan1911 opened this issue · 1 comments
Negan1911 commented
Describe the bug
To Reproduce Steps to reproduce the behavior:
- Set a cookie as follows:
await request.cookieStore.set({
name: 'your_name',
secure: true,
sameSite: 'none',
expires: Date.now() + expiresIn,
domain: process.env.DOMAIN || 'localhost',
value: 'your_value',
})
Expected behavior
The cookie should be set with SameSite=None; Secure. But instead, when "Secure" is being applied, it's always forced to be "Lax" instead (https://github.com/ardatan/whatwg-node/blob/master/packages/cookie-store/src/getCookieString.ts#L22), this invalidates many uses cases like hosting the backend on any other domain than the frontend.
Environment:
- OS: MacOS
package-name...
: @whatwg-node/server-plugin-cookies- NodeJS: v18.15.0
Additional context
ardatan commented
Merged and released! Thanks for your PR!