Skip to content

Commit

Permalink
Fix Uppercase handling for SameSite cookie values
Browse files Browse the repository at this point in the history
  • Loading branch information
ksjogo authored and wmertens committed Jan 17, 2024
1 parent 8f7800b commit 291b857
Show file tree
Hide file tree
Showing 6 changed files with 11 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
}
],
"kind": "Interface",
"content": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie\n\n\n```typescript\nexport interface CookieOptions \n```\n\n\n| Property | Modifiers | Type | Description |\n| --- | --- | --- | --- |\n| [domain?](#) | | string | _(Optional)_ Defines the host to which the cookie will be sent. If omitted, this attribute defaults to the host of the current document URL, not including subdomains. |\n| [expires?](#) | | Date \\| string | _(Optional)_ Indicates the maximum lifetime of the cookie as an HTTP-date timestamp. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. |\n| [httpOnly?](#) | | boolean | _(Optional)_ Forbids JavaScript from accessing the cookie, for example, through the <code>document.cookie</code> property. |\n| [maxAge?](#) | | number \\| \\[number, 'seconds' \\| 'minutes' \\| 'hours' \\| 'days' \\| 'weeks'\\] | _(Optional)_ Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. You can also use the array syntax to set the max-age using minutes, hours, days or weeks. For example, <code>{ maxAge: [3, &quot;days&quot;] }</code> would set the cookie to expire in 3 days. |\n| [path?](#) | | string | _(Optional)_ Indicates the path that must exist in the requested URL for the browser to send the Cookie header. |\n| [sameSite?](#) | | 'strict' \\| 'lax' \\| 'none' \\| boolean | _(Optional)_ Controls whether or not a cookie is sent with cross-site requests, providing some protection against cross-site request forgery attacks (CSRF). |\n| [secure?](#) | | boolean | _(Optional)_ Indicates that the cookie is sent to the server only when a request is made with the <code>https:</code> scheme (except on localhost) |",
"content": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie\n\n\n```typescript\nexport interface CookieOptions \n```\n\n\n| Property | Modifiers | Type | Description |\n| --- | --- | --- | --- |\n| [domain?](#) | | string | _(Optional)_ Defines the host to which the cookie will be sent. If omitted, this attribute defaults to the host of the current document URL, not including subdomains. |\n| [expires?](#) | | Date \\| string | _(Optional)_ Indicates the maximum lifetime of the cookie as an HTTP-date timestamp. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. |\n| [httpOnly?](#) | | boolean | _(Optional)_ Forbids JavaScript from accessing the cookie, for example, through the <code>document.cookie</code> property. |\n| [maxAge?](#) | | number \\| \\[number, 'seconds' \\| 'minutes' \\| 'hours' \\| 'days' \\| 'weeks'\\] | _(Optional)_ Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. You can also use the array syntax to set the max-age using minutes, hours, days or weeks. For example, <code>{ maxAge: [3, &quot;days&quot;] }</code> would set the cookie to expire in 3 days. |\n| [path?](#) | | string | _(Optional)_ Indicates the path that must exist in the requested URL for the browser to send the Cookie header. |\n| [sameSite?](#) | | 'strict' \\| 'lax' \\| 'none' \\| 'Strict' \\| 'Lax' \\| 'None' \\| boolean | _(Optional)_ Controls whether or not a cookie is sent with cross-site requests, providing some protection against cross-site request forgery attacks (CSRF). |\n| [secure?](#) | | boolean | _(Optional)_ Indicates that the cookie is sent to the server only when a request is made with the <code>https:</code> scheme (except on localhost) |",
"editUrl": "https://github.com/BuilderIO/qwik/tree/main/packages/qwik-city/middleware/request-handler/types.ts",
"mdFile": "qwik-city.cookieoptions.md"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ export interface CookieOptions
| [httpOnly?](#) | | boolean | _(Optional)_ Forbids JavaScript from accessing the cookie, for example, through the <code>document.cookie</code> property. |
| [maxAge?](#) | | number \| [number, 'seconds' \| 'minutes' \| 'hours' \| 'days' \| 'weeks'] | _(Optional)_ Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. You can also use the array syntax to set the max-age using minutes, hours, days or weeks. For example, <code>{ maxAge: [3, &quot;days&quot;] }</code> would set the cookie to expire in 3 days. |
| [path?](#) | | string | _(Optional)_ Indicates the path that must exist in the requested URL for the browser to send the Cookie header. |
| [sameSite?](#) | | 'strict' \| 'lax' \| 'none' \| boolean | _(Optional)_ Controls whether or not a cookie is sent with cross-site requests, providing some protection against cross-site request forgery attacks (CSRF). |
| [sameSite?](#) | | 'strict' \| 'lax' \| 'none' \| 'Strict' \| 'Lax' \| 'None' \| boolean | _(Optional)_ Controls whether or not a cookie is sent with cross-site requests, providing some protection against cross-site request forgery attacks (CSRF). |
| [secure?](#) | | boolean | _(Optional)_ Indicates that the cookie is sent to the server only when a request is made with the <code>https:</code> scheme (except on localhost) |

[Edit this section](https://github.com/BuilderIO/qwik/tree/main/packages/qwik-city/middleware/request-handler/types.ts)
Expand Down
2 changes: 1 addition & 1 deletion packages/qwik-city/middleware/request-handler/api.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ export interface CookieOptions {
httpOnly?: boolean;
maxAge?: number | [number, 'seconds' | 'minutes' | 'hours' | 'days' | 'weeks'];
path?: string;
sameSite?: 'strict' | 'lax' | 'none' | boolean;
sameSite?: 'strict' | 'lax' | 'none' | 'Strict' | 'Lax' | 'None' | boolean;
secure?: boolean;
}

Expand Down
5 changes: 4 additions & 1 deletion packages/qwik-city/middleware/request-handler/cookie.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,11 @@ import type { Cookie as CookieInterface, CookieOptions, CookieValue } from './ty

const SAMESITE = {
lax: 'Lax',
Lax: 'Lax',
None: 'None',
none: 'None',
strict: 'Strict',
Strict: 'Strict',
} as const;

const UNIT = {
Expand Down Expand Up @@ -75,7 +78,7 @@ const parseCookieString = (cookieString: string | undefined | null) => {
return cookie;
};

function resolveSameSite(sameSite: boolean | 'strict' | 'lax' | 'none' | undefined) {
function resolveSameSite(sameSite: CookieOptions['sameSite']) {
if (sameSite === true) {
return 'Strict';
}
Expand Down
3 changes: 3 additions & 0 deletions packages/qwik-city/middleware/request-handler/cookie.unit.ts
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,9 @@ test('creates correct headers', () => {
options: { expires: new Date(0) },
expect: 'm=13; Expires=Thu, 01 Jan 1970 00:00:00 GMT',
},
{ key: 'n', value: '14', options: { sameSite: 'Strict' }, expect: 'n=14; SameSite=Strict' },
{ key: 'o', value: '15', options: { sameSite: 'Lax' }, expect: 'o=15; SameSite=Lax' },
{ key: 'p', value: '16', options: { sameSite: 'None' }, expect: 'p=16; SameSite=None' },
];
const cookie = new Cookie('');
const expect = data.map(({ expect }) => expect);
Expand Down
2 changes: 1 addition & 1 deletion packages/qwik-city/middleware/request-handler/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -538,7 +538,7 @@ export interface CookieOptions {
* Controls whether or not a cookie is sent with cross-site requests, providing some protection
* against cross-site request forgery attacks (CSRF).
*/
sameSite?: 'strict' | 'lax' | 'none' | boolean;
sameSite?: 'strict' | 'lax' | 'none' | 'Strict' | 'Lax' | 'None' | boolean;
/**
* Indicates that the cookie is sent to the server only when a request is made with the `https:`
* scheme (except on localhost)
Expand Down

0 comments on commit 291b857

Please sign in to comment.