From c211b52d1d04cc4871bb8c9c1dd8185fe59b1ad4 Mon Sep 17 00:00:00 2001
From: mohamed amr <m_ma7med@hotmail.com>
Date: Tue, 1 May 2018 16:51:41 +0200
Subject: [PATCH] feat(ngCookie): support sameSite option

Closes  #16543
Closes  #16544
---
 src/ngCookies/cookieWriter.js      |  1 +
 src/ngCookies/cookies.js           |  4 ++++
 test/ngCookies/cookieWriterSpec.js | 10 ++++++++++
 3 files changed, 15 insertions(+)

diff --git a/src/ngCookies/cookieWriter.js b/src/ngCookies/cookieWriter.js
index 33daf8fb74cd..7c188bd48327 100644
--- a/src/ngCookies/cookieWriter.js
+++ b/src/ngCookies/cookieWriter.js
@@ -33,6 +33,7 @@ function $$CookieWriter($document, $log, $browser) {
     str += options.domain ? ';domain=' + options.domain : '';
     str += expires ? ';expires=' + expires.toUTCString() : '';
     str += options.secure ? ';secure' : '';
+    str += options.samesite ? ';samesite=' + options.samesite : '';
 
     // per http://www.ietf.org/rfc/rfc2109.txt browser must allow at minimum:
     // - 300 cookies
diff --git a/src/ngCookies/cookies.js b/src/ngCookies/cookies.js
index 734ab0ffe53a..02bf22a822c0 100644
--- a/src/ngCookies/cookies.js
+++ b/src/ngCookies/cookies.js
@@ -38,6 +38,10 @@ angular.module('ngCookies', ['ng']).
      *   or a Date object indicating the exact date/time this cookie will expire.
      * - **secure** - `{boolean}` - If `true`, then the cookie will only be available through a
      *   secured connection.
+     * - **samesite** - `{string}` - prevents the browser from sending the cookie along with cross-site requests.
+     *   Accepts the values `lax` and `strict`. See the [OWASP Wiki](https://www.owasp.org/index.php/SameSite)
+     *   for more info. Note that as of May 2018, not all browsers support `SameSite`,
+     *   so it cannot be used as a single measure against Cross-Site-Request-Forgery (CSRF) attacks.
      *
      * Note: By default, the address that appears in your `<base>` tag will be used as the path.
      * This is important so that cookies will be visible for all routes when html5mode is enabled.
diff --git a/test/ngCookies/cookieWriterSpec.js b/test/ngCookies/cookieWriterSpec.js
index d43fa8b37f6b..ddc0b590d663 100644
--- a/test/ngCookies/cookieWriterSpec.js
+++ b/test/ngCookies/cookieWriterSpec.js
@@ -181,6 +181,16 @@ describe('cookie options', function() {
     expect(getLastCookieAssignment('secure')).toBe(true);
   });
 
+  it('should accept samesite option when value is lax', function() {
+    $$cookieWriter('name', 'value', {samesite: 'lax'});
+    expect(getLastCookieAssignment('samesite')).toBe('lax');
+  });
+
+  it('should accept samesite option when value is strict', function() {
+    $$cookieWriter('name', 'value', {samesite: 'strict'});
+    expect(getLastCookieAssignment('samesite')).toBe('strict');
+  });
+
   it('should accept expires option on set', function() {
     $$cookieWriter('name', 'value', {expires: 'Fri, 19 Dec 2014 00:00:00 GMT'});
     expect(getLastCookieAssignment('expires')).toMatch(/^Fri, 19 Dec 2014 00:00:00 (UTC|GMT)$/);