should-send-same-site-none
v2.0.5
Published
A simple utility to detect incompatible user agents for `SameSite=None` cookie attribute
Downloads
127,815
Maintainers
Readme
should-send-same-site-none
The module comes with:
A small utility function
isSameSiteNoneCompatible
for detecting incompatible user agents (browsers) for theSameSite=None
cookie attribute.A Express middleware
shouldSendSameSiteNone
for automatically removingSameSite=None
from response header when reqesting client is incompatible withSameSite=None
. (Note: You are still responsible for adding the 'Secure' cookie attribute whenever applicable.)
Background
With Chrome 80 in February 2020, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax
cookies. Other browser vendors are expected to follow Google’s lead. (See this Blog Post).
If you manage cross-site cookies, you will need to apply the SameSite=None; Secure setting to those cookies. However, some browsers, including some versions of Chrome, Safari and UC Browser, might handle the None value in unintended ways, requiring developers to code exceptions for those clients.
isSameSiteNoneCompatible
utility function detects incompatible user agents based on a list of known incompatible clients and returns true
if the given user-agent string is compatible with SameSite=None
cookie attribute.
For Express.js, shouldSendSameSiteNone
middleware automatically removes SameSite=None
from set-cookie response header when the reqesting client is incompatible with SameSite=None
.
Usage
Function: isSameSiteNoneCompatible
import { isSameSiteNoneCompatible } from 'should-send-same-site-none';
const ua = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) ....';
if (isSameSiteNoneCompatible(ua)) {
console.log("Yes, the browser is compatible and we can set SameSite=None cookies");
}
Middleware: shouldSendSameSiteNone
const express = require('express');
const { shouldSendSameSiteNone } = require('should-send-same-site-none');
const app = express();
// Apply middleware before routes
app.use(shouldSendSameSiteNone);
app.get('/', function (req, res) {
// Set cookie with SameSite='None' as needed;
res.cookie("foo", "bar", { sameSite: "none", secure: true });
res.send('hello world');
});
app.listen(3000);
Running tests
npm run test
PASS ./index.test.js
✓ Test Chrome 50 @ Win10 (true) (4ms)
✓ Test Chrome 67 @ Win10 (true) (1ms)
✓ Test Chrome 60 @ IOS (true)
✓ Test Chrome @ Mac (true)
✓ Test UC Browser 12.13.2 @ Andriod (true) (1ms)
✓ Test UC Browser 12.13.4 @ Andriod (true)
✓ Test Safari @ Mac 13 (true)
✓ Test Safari @ Mac 15.5 (true) (1ms)
✓ Test Safari @ ios 13 (true)
✓ Test Chrome 51 (false)
✓ Test Chrome 52 @ Win 10 (false)
✓ Test Chrome 53 @ Win 10 (false)
✓ Test Chrome 54 (false)
✓ Test Chrome 55 @ Mac (false)
✓ Test Chrome 56 @ Linux (false) (1ms)
✓ Test Chrome 57 @ Win 7 (false)
✓ Test Chrome 58 @ Android (false)
✓ Test Chrome 59 @ Win7 (false)
✓ Test Chrome 60 @ Win10 (false) (1ms)
✓ Test Chrome 61 @ Win10 (false)
✓ Test Chrome 62 @ Win10 (false)
✓ Test Chrome 63 @ Win7 (false)
✓ Test Chrome 64 @ Win7 (false) (1ms)
✓ Test Chrome 65 (false)
✓ Test Chrome 66 @ Win10 (false)
✓ Test Chrome 66 Webview (false)
✓ Test UC Browser @ 10.7 (false)
✓ Test UC Browser 12 @ Android (false) (1ms)
✓ Test UC Browser 11.5 @ iOS 11 (false) (1ms)
✓ Test Safari @ Mac 10.14 (false) (1ms)
✓ Test Embeded @ Mac 10.4 (false)
✓ Test Safari @ iOS 12 (false)
✓ Test Chrome @ iOS 12 (false)
✓ Test Firefox @ iOS 12 (false)
Note
The approach for detecting incompatible clients are taken from this update.
The following incompatible clients were accounted for at the time of writing:
- Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends). These Chrome versions will reject a cookie with
SameSite=None
. This also affects older versions of Chromium-derived browsers, as well as Android WebView. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in Chrome 67 and newer. (Prior to Chrome 51, the SameSite attribute was ignored entirely and all cookies were treated as if they wereSameSite=None
.) - Versions of UC Browser on Android prior to version 12.13.2. Older versions will reject a cookie with
SameSite=None
. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in newer versions of UC Browser. - Versions of Safari and embedded browsers on MacOS 10.14 and all browsers on iOS 12. These versions will erroneously treat cookies marked with
SameSite=None
as if they were markedSameSite=Strict
. This bug has been fixed on newer versions of iOS and MacOS.
Compatibilities of the following clients are unclear:
- Versions of Chrome from Chrome 51 to Chrome 66 on IOS device; (Assumed compatible)
- Versions of UC Browser on other non-Android platforms (e.g. IOS) prior to version 12.13.2. (Assumed Incompatible)
Please file an issue if additional incompatible clients are identified.