feat(ngCookie): support sameSite option

m-amr · m-amr · commit 56bd6120f1c4 · 2018-05-16T06:30:12.000+02:00
Closes #16543 Closes #16544
diff --git a/src/ng/cookieReader.js b/src/ng/cookieReader.js
@@ -43,7 +43,6 @@ function $$CookieReader($document) {
         cookie = cookieArray[i];
         index = cookie.indexOf('=');
         if (index > 0) { //ignore nameless cookies
-          name = safeDecodeURIComponent(cookie.substring(0, index));
           // the first value that is seen for a cookie is the most
           // specific one.  values for the same cookie name that
           // follow are for less specific paths.
diff --git a/src/ngCookies/cookieWriter.js b/src/ngCookies/cookieWriter.js
@@ -33,6 +33,7 @@ function $$CookieWriter($document, $log, $browser) {
     str += options.domain ? ';domain=' + options.domain : '';
     str += expires ? ';expires=' + expires.toUTCString() : '';
     str += options.secure ? ';secure' : '';
+    str += options.sameSite ? ';sameSite=' + options.sameSite : '';
 
     // per http://www.ietf.org/rfc/rfc2109.txt browser must allow at minimum:
     // - 300 cookies
diff --git a/src/ngCookies/cookies.js b/src/ngCookies/cookies.js
@@ -38,6 +38,10 @@ angular.module('ngCookies', ['ng']).
      *   or a Date object indicating the exact date/time this cookie will expire.
      * - **secure** - `{boolean}` - If `true`, then the cookie will only be available through a
      *   secured connection.
+     * - **sameSite** - `{string}` - prevents the browser from sending the cookie along with cross-site requests.
+     *   Accepts the values `lax` and `strict`. See the [OWASP Wiki](https://www.owasp.org/index.php/SameSite)
+     *   for more info. Note that as of May 2018, not all browsers support `SameSite`,
+     *   so it cannot be used as a single measure against Cross-Site-Request-Forgery (CSRF) attacks.
      *
      * Note: By default, the address that appears in your `<base>` tag will be used as the path.
      * This is important so that cookies will be visible for all routes when html5mode is enabled.
diff --git a/test/ngCookies/cookieWriterSpec.js b/test/ngCookies/cookieWriterSpec.js
@@ -181,6 +181,16 @@ describe('cookie options', function() {
     expect(getLastCookieAssignment('secure')).toBe(true);
   });
 
+  it('should accept sameSite option when value is lax', function() {
+    $$cookieWriter('name', 'value', {sameSite: 'lax'});
+    expect(getLastCookieAssignment('sameSite')).toBe('lax');
+  });
+
+  it('should accept sameSite option when value is strict', function() {
+    $$cookieWriter('name', 'value', {sameSite: 'strict'});
+    expect(getLastCookieAssignment('sameSite')).toBe('strict');
+  });
+
   it('should accept expires option on set', function() {
     $$cookieWriter('name', 'value', {expires: 'Fri, 19 Dec 2014 00:00:00 GMT'});
     expect(getLastCookieAssignment('expires')).toMatch(/^Fri, 19 Dec 2014 00:00:00 (UTC|GMT)$/);
