Any plans on supporting "SameSite" cookie?

Question

Any plans on supporting "SameSite" cookie?

IronBlood opened this issue 4 years ago · 2 comments

There's an example of SameSite attribute on MDN

Set-Cookie: mykey=myvalue; SameSite=Strict

Right now it's still in draft stage of RFC 6265, but most major browsers (except IE) have already support this attribute, according to MDN's browser compatibility.

I'd like to create a PR if this proposal sounds good to you. Looks like an easy one, with a few more onion_response_flags and more outputs with onion_response_add_cookie, and of course the tests.

Answer 1 · 2021-01-05T15:16:30.000Z

Sounds perfect for me.

The use of the onion_response_flags is, I guess, to force all cookies SameSite. If so, i think that just adding a flag to onion_response_add_cookie would be a perfect first approximation.

Answer 2 · 2021-01-05T15:34:06.000Z

I would like to offer multiple choices as whatever ppl like to use, like:

onion_response_add_cookie(..., OC_HTTP_ONLY | OC_SECURE | OC_SAMESITE_NONE);
// or
onion_response_add_cookie(..., OC_HTTP_ONLY | OC_SECURE | OC_SAMESITE_STRICT);

If none of the OC_SAMESITE_* flags is used, there'll be no changes to cookies.