remove 'SameSite=none' together with 'secure'. Fixes #14

75lb · 75lb · commit 21271cb6cd0e · 2024-07-25T13:42:57.000+03:00
diff --git a/index.js b/index.js
@@ -139,7 +139,13 @@ function proxyRequest (route, mw, lws) {
         /* On insecure connections, remove `secure` attribute from remote cookies */
         const setCookies = remoteRes.headers['set-cookie']
         if (!ctx.req.socket.encrypted && !lws.config.rewriteKeepSecureAttr && setCookies && setCookies.length) {
-          const cookies = setCookies.map(c => util.removeCookieAttribute(c, 'secure'))
+          const cookies = setCookies.map(c => {
+            let result = util.removeCookieAttribute(c, 'secure')
+            if (/samesite=none/.test(result)) {
+              result = util.removeCookieAttribute(result, 'samesite=none')
+            }
+            return result
+          })
           remoteRes.headers['set-cookie'] = cookies
         }
 
diff --git a/test/remote.js b/test/remote.js
@@ -273,6 +273,39 @@ tom.test('GET HTTPS, secure cookie attribute set - remove it', async function ()
   }
 }, { timeout: 120000 })
 
+tom.test('GET HTTPS, `secure` and `SameSite=none` attributes set - remove them both', async function () {
+  class SecureCookie {
+    middleware (config, lws) {
+      return function (ctx, next) {
+        const secure = true
+        ctx.cookies.set('test', 'one', { secure, sameSite: 'none' })
+        ctx.body = 'test'
+      }
+    }
+  }
+  const remotePort = 10000 + this.index
+  const remoteLws = await Lws.create({
+    port: remotePort,
+    https: true,
+    stack: [SecureCookie]
+  })
+
+  const port = 8100 + this.index
+  const lws = await Lws.create({
+    port,
+    stack: [Rewrite, Static],
+    rewrite: { from: '/', to: `https://localhost:${remotePort}/` }
+  })
+  try {
+    const response = await fetch(`http://localhost:${port}/`)
+    a.strictEqual(response.status, 200)
+    a.strictEqual(response.headers.get('set-cookie'), 'test=one; path=/; httponly')
+  } finally {
+    lws.server.close()
+    remoteLws.server.close()
+  }
+}, { timeout: 120000 })
+
 tom.test('GET HTTPS, --rewrite.keep-secure-attr', async function () {
   class SecureCookie {
     middleware (config, lws) {
@@ -342,4 +375,39 @@ tom.test('GET HTTPS, --rewrite.keep-secure-attr, multiple cookies', async functi
   }
 }, { timeout: 120000 })
 
+tom.test('GET HTTPS, --rewrite.keep-secure-attr keeps sameSite value too, multiple cookies', async function () {
+  class SecureCookie {
+    middleware (config, lws) {
+      return function (ctx, next) {
+        const secure = true
+        ctx.cookies.set('test', 'one', { secure, sameSite: 'none' })
+        ctx.cookies.set('test2', 'two', { secure, sameSite: 'none' })
+        ctx.body = 'test'
+      }
+    }
+  }
+  const remotePort = 10000 + this.index
+  const remoteLws = await Lws.create({
+    port: remotePort,
+    https: true,
+    stack: [SecureCookie]
+  })
+
+  const port = 8100 + this.index
+  const lws = await Lws.create({
+    port,
+    stack: [Rewrite, Static],
+    rewrite: { from: '/', to: `https://localhost:${remotePort}/` },
+    rewriteKeepSecureAttr: true
+  })
+  try {
+    const response = await fetch(`http://localhost:${port}/`)
+    a.strictEqual(response.status, 200)
+    a.strictEqual(response.headers.get('set-cookie'), 'test=one; path=/; samesite=none; secure; httponly, test2=two; path=/; samesite=none; secure; httponly')
+  } finally {
+    lws.server.close()
+    remoteLws.server.close()
+  }
+}, { timeout: 120000 })
+
 export default tom
