fix: use SameSite=Strict by default

darrachequesne · darrachequesne · commit 001ca62cc4a8 · 2020-04-15T15:56:18.000+02:00
In order to remove the following warning in Chrome: A cookie associated with a cross-site resource at ... was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. Please note that the cookie will be disabled by default in Engine.IO v4, see a374471
diff --git a/lib/server.js b/lib/server.js
@@ -323,7 +323,8 @@ Server.prototype.handshake = function (transportName, req) {
       headers['Set-Cookie'] = cookieMod.serialize(self.cookie, id,
         {
           path: self.cookiePath,
-          httpOnly: self.cookiePath ? self.cookieHttpOnly : false
+          httpOnly: self.cookiePath ? self.cookieHttpOnly : false,
+          sameSite: true
         });
     });
   }
diff --git a/test/server.js b/test/server.js
@@ -117,7 +117,7 @@ describe('server', function () {
             expect(err).to.be(null);
             // hack-obtain sid
             var sid = res.text.match(/"sid":"([^"]+)"/)[1];
-            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/; HttpOnly');
+            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/; HttpOnly; SameSite=Strict');
             done();
           });
       });
@@ -130,7 +130,7 @@ describe('server', function () {
           .end(function (err, res) {
             expect(err).to.be(null);
             var sid = res.text.match(/"sid":"([^"]+)"/)[1];
-            expect(res.headers['set-cookie'][0]).to.be('woot=' + sid + '; Path=/; HttpOnly');
+            expect(res.headers['set-cookie'][0]).to.be('woot=' + sid + '; Path=/; HttpOnly; SameSite=Strict');
             done();
           });
       });
@@ -143,7 +143,7 @@ describe('server', function () {
           .end(function (err, res) {
             expect(err).to.be(null);
             var sid = res.text.match(/"sid":"([^"]+)"/)[1];
-            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/custom; HttpOnly');
+            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/custom; HttpOnly; SameSite=Strict');
             done();
           });
       });
@@ -156,7 +156,7 @@ describe('server', function () {
           .end(function (err, res) {
             expect(err).to.be(null);
             var sid = res.text.match(/"sid":"([^"]+)"/)[1];
-            expect(res.headers['set-cookie'][0]).to.be('io=' + sid);
+            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; SameSite=Strict');
             done();
           });
       });
@@ -169,7 +169,7 @@ describe('server', function () {
           .end(function (err, res) {
             expect(err).to.be(null);
             var sid = res.text.match(/"sid":"([^"]+)"/)[1];
-            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/; HttpOnly');
+            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/; HttpOnly; SameSite=Strict');
             done();
           });
       });
@@ -182,7 +182,7 @@ describe('server', function () {
           .end(function (err, res) {
             expect(err).to.be(null);
             var sid = res.text.match(/"sid":"([^"]+)"/)[1];
-            expect(res.headers['set-cookie'][0]).to.be('io=' + sid);
+            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; SameSite=Strict');
             done();
           });
       });
@@ -195,7 +195,7 @@ describe('server', function () {
           .end(function (err, res) {
             expect(err).to.be(null);
             var sid = res.text.match(/"sid":"([^"]+)"/)[1];
-            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/');
+            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/; SameSite=Strict');
             done();
           });
       });
@@ -208,7 +208,7 @@ describe('server', function () {
           .end(function (err, res) {
             expect(err).to.be(null);
             var sid = res.text.match(/"sid":"([^"]+)"/)[1];
-            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/; HttpOnly');
+            expect(res.headers['set-cookie'][0]).to.be('io=' + sid + '; Path=/; HttpOnly; SameSite=Strict');
             done();
           });
       });

Original file line number	Diff line number	Diff line change
`@@ -323,7 +323,8 @@ Server.prototype.handshake = function (transportName, req) {`
`323`	`323`	`headers['Set-Cookie'] = cookieMod.serialize(self.cookie, id,`
`324`	`324`	`{`
`325`	`325`	`path: self.cookiePath,`
`326`		`- httpOnly: self.cookiePath ? self.cookieHttpOnly : false`
	`326`	`+ httpOnly: self.cookiePath ? self.cookieHttpOnly : false,`
	`327`	`+ sameSite: true`
`327`	`328`	`});`
`328`	`329`	`});`
`329`	`330`	`}`