feat(ngCookie): support SameSite option

m-amr · m-amr · commit 3c8b92620c1b · 2018-05-04T21:12:16.000+02:00
Closes angular#16543 Closes angular#16544
diff --git a/src/ngCookies/cookieWriter.js b/src/ngCookies/cookieWriter.js
@@ -33,6 +33,7 @@ function $$CookieWriter($document, $log, $browser) {
     str += options.domain ? ';domain=' + options.domain : '';
     str += expires ? ';expires=' + expires.toUTCString() : '';
     str += options.secure ? ';secure' : '';
+    str += options.SameSite ? ';SameSite=' + options.SameSite : '';
 
     // per http://www.ietf.org/rfc/rfc2109.txt browser must allow at minimum:
     // - 300 cookies
diff --git a/src/ngCookies/cookies.js b/src/ngCookies/cookies.js
@@ -38,6 +38,10 @@ angular.module('ngCookies', ['ng']).
      *   or a Date object indicating the exact date/time this cookie will expire.
      * - **secure** - `{boolean}` - If `true`, then the cookie will only be available through a
      *   secured connection.
+     * - **SameSite** - `{string}` - it will disable third-party usage for a specific cookie.
+     *   there are two possible values `lax` and `strict`. this attribute is still experimental and
+     *   is not supported by all browsers so it is better to use  CSRF tokens to prevent CSRF attack.
+     *
      *
      * Note: By default, the address that appears in your `<base>` tag will be used as the path.
      * This is important so that cookies will be visible for all routes when html5mode is enabled.
diff --git a/test/ngCookies/cookieWriterSpec.js b/test/ngCookies/cookieWriterSpec.js
@@ -181,6 +181,16 @@ describe('cookie options', function() {
     expect(getLastCookieAssignment('secure')).toBe(true);
   });
 
+  it('should accept sameSite option when value is lax', function() {
+    $$cookieWriter('name', 'value', {SameSite: 'lax'});
+    expect(getLastCookieAssignment('SameSite')).toBe('lax');
+  });
+
+  it('should accept sameSite option when value is strict', function() {
+    $$cookieWriter('name', 'value', {SameSite: 'strict'});
+    expect(getLastCookieAssignment('SameSite')).toBe('strict');
+  });
+
   it('should accept expires option on set', function() {
     $$cookieWriter('name', 'value', {expires: 'Fri, 19 Dec 2014 00:00:00 GMT'});
     expect(getLastCookieAssignment('expires')).toMatch(/^Fri, 19 Dec 2014 00:00:00 (UTC|GMT)$/);
