npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

should-send-same-site-none

v2.0.5

Published

A simple utility to detect incompatible user agents for `SameSite=None` cookie attribute

Downloads

127,847

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

dlin-medlin-me

Keywords

Expresssamesitecookiemiddleware

Readme

should-send-same-site-none

The module comes with:

  • A small utility function isSameSiteNoneCompatible for detecting incompatible user agents (browsers) for the SameSite=None cookie attribute.

  • A Express middleware shouldSendSameSiteNone for automatically removing SameSite=None from response header when reqesting client is incompatible with SameSite=None. (Note: You are still responsible for adding the 'Secure' cookie attribute whenever applicable.)

Background

With Chrome 80 in February 2020, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Other browser vendors are expected to follow Google’s lead. (See this Blog Post).

If you manage cross-site cookies, you will need to apply the SameSite=None; Secure setting to those cookies. However, some browsers, including some versions of Chrome, Safari and UC Browser, might handle the None value in unintended ways, requiring developers to code exceptions for those clients.

isSameSiteNoneCompatible utility function detects incompatible user agents based on a list of known incompatible clients and returns true if the given user-agent string is compatible with SameSite=None cookie attribute.

For Express.js, shouldSendSameSiteNone middleware automatically removes SameSite=None from set-cookie response header when the reqesting client is incompatible with SameSite=None.

Usage

Function: isSameSiteNoneCompatible


import { isSameSiteNoneCompatible } from 'should-send-same-site-none';

const ua = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) ....';

if (isSameSiteNoneCompatible(ua)) {
	console.log("Yes, the browser is compatible and we can set SameSite=None cookies");
}

Middleware: shouldSendSameSiteNone

const express = require('express');
const { shouldSendSameSiteNone } = require('should-send-same-site-none');
const app = express();

// Apply middleware before routes
app.use(shouldSendSameSiteNone);

app.get('/', function (req, res) {
  // Set cookie with SameSite='None' as needed;
  res.cookie("foo", "bar", { sameSite: "none", secure: true });
  res.send('hello world');
});

app.listen(3000);

Running tests

npm run test


 PASS  ./index.test.js

  ✓ Test Chrome 50 @ Win10 (true) (4ms)
  ✓ Test Chrome 67 @ Win10 (true) (1ms)
  ✓ Test Chrome 60 @ IOS (true)
  ✓ Test Chrome @ Mac (true)
  ✓ Test UC Browser 12.13.2 @ Andriod (true) (1ms)
  ✓ Test UC Browser 12.13.4 @ Andriod (true)
  ✓ Test Safari @ Mac 13 (true)
  ✓ Test Safari @ Mac 15.5 (true) (1ms)
  ✓ Test Safari @ ios 13 (true)
  ✓ Test Chrome 51 (false)
  ✓ Test Chrome 52 @ Win 10 (false)
  ✓ Test Chrome 53 @ Win 10 (false)
  ✓ Test Chrome 54 (false)
  ✓ Test Chrome 55 @ Mac (false)
  ✓ Test Chrome 56 @ Linux (false) (1ms)
  ✓ Test Chrome 57 @ Win 7 (false)
  ✓ Test Chrome 58 @ Android (false)
  ✓ Test Chrome 59 @ Win7 (false)
  ✓ Test Chrome 60 @ Win10 (false) (1ms)
  ✓ Test Chrome 61 @ Win10 (false)
  ✓ Test Chrome 62 @ Win10 (false)
  ✓ Test Chrome 63 @ Win7 (false)
  ✓ Test Chrome 64 @ Win7 (false) (1ms)
  ✓ Test Chrome 65 (false)
  ✓ Test Chrome 66 @ Win10 (false)
  ✓ Test Chrome 66 Webview (false)
  ✓ Test UC Browser @ 10.7 (false)
  ✓ Test UC Browser 12 @ Android (false) (1ms)
  ✓ Test UC Browser 11.5 @ iOS 11 (false) (1ms)
  ✓ Test Safari @ Mac 10.14 (false) (1ms)
  ✓ Test Embeded @ Mac 10.4 (false)
  ✓ Test Safari @ iOS 12 (false)
  ✓ Test Chrome @ iOS 12 (false)
  ✓ Test Firefox @ iOS 12 (false)

Note

The approach for detecting incompatible clients are taken from this update.

The following incompatible clients were accounted for at the time of writing:

  • Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends). These Chrome versions will reject a cookie with SameSite=None. This also affects older versions of Chromium-derived browsers, as well as Android WebView. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in Chrome 67 and newer. (Prior to Chrome 51, the SameSite attribute was ignored entirely and all cookies were treated as if they were SameSite=None.)
  • Versions of UC Browser on Android prior to version 12.13.2. Older versions will reject a cookie with SameSite=None. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in newer versions of UC Browser.
  • Versions of Safari and embedded browsers on MacOS 10.14 and all browsers on iOS 12. These versions will erroneously treat cookies marked with SameSite=None as if they were marked SameSite=Strict. This bug has been fixed on newer versions of iOS and MacOS.

Compatibilities of the following clients are unclear:

  1. Versions of Chrome from Chrome 51 to Chrome 66 on IOS device; (Assumed compatible)
  2. Versions of UC Browser on other non-Android platforms (e.g. IOS) prior to version 12.13.2. (Assumed Incompatible)

Please file an issue if additional incompatible clients are identified.