sameSite cookie support

[arkadiyt]

I'm submitting a ...

• bug report
• feature request
• other

Current behavior:

Right now the angular cookie options support setting domain, expiration, and secure flags, but do not support the sameSite flag.

Expected / new behavior:

I'd like to request that support be added for the sameSite flag - this would help protect against CSRF attacks using cookies created by angular.

Minimal reproduction of the problem with instructions:

N/A

AngularJS version: 1.6.11

Browser: [Chrome >= 63 | Firefox >= 60 | Mobile Chrome >= 64]

Pulled via https://caniuse.com/#search=samesite

Anything else:

[petebacondarwin]

Here is some background info: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

[petebacondarwin]

This seems like a reasonable request. I would say that changes need to go here: https://github.com/angular/angular.js/blob/master/src/ngCookies/cookieWriter.js#L35
With the new option being documented appropriate throughout the ngCookies module.

[gkalpak]

I am a little sceptical, since this is still experimental, there doesn't seem to be an up-to-date spec (only a draft that has expired since 2016) and is only implemented by Chrome (since 2016) and soon Firefox (currently in Firefox beta). This means that users can't really rely on it for protection (since several "mainstream" browsers will ignore it). Using CSRF tokens is a much better/more reliable way of protecting your app against CSRF attacks (afaict).

We should at least point it out in the docs.