alex1990 / tiny-cookie Goto Github PK

https://blog.sindresorhus.com/get-ready-for-esm-aa53530b3f77

I notice in package.json, module field is the source code of the project, this means when use a build tools support es6 module (like webpack), the build tools would directly import the source code, which might cause some problems with UglifyJs.
For example, in webpack, when we use a babel loader, we usually exclude the node_modules to improve the build speed, so this means when we import tiny-cookie in webpack, the imported code is still in es6, and UglifyJs doesn't support es6.
My suggestion is we can have another folder(like lib), the code should transpile to es5 but it's in es6 module style.
Sorry for my poor english.

• The encoder parameter of the set method as the last one.
• Support arbitrary characters in the cookie name/key.
• Integrate getJSON and setJSON methods.
• The get method supports getting multiple cookie values. For example, get(['foo', 'bar']).
• The set method supports setting multiple cookie pairs. For example, set({ foo: 'Foo', bar: 'Bar' }).
• Add a demo page with github pages.
• Support using in server. See https://github.com/jshttp/cookie
• Add wiki document about cookie.

The cookie is path aware. So clearing all cookies is impossible with the set path. Besides, this demand is rarely come across in web applications.

Internet Explorer cookie internals (FAQ)

For security reasons, it would be nice to be able to set the SameSite attribute on a cookie as per:

https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

https://sites.google.com/a/chromium.org/dev/Home/chromium-security/ssca

https://www.filamentgroup.com/lab/spectre-js-cookie.html

There is a CookieStore API spec: https://wicg.github.io/cookie-store/.

Hi, when trying to remove a cookie which is marked secure with specific path, the removeCookie function fails because the function ignores the secure and path option. To get around, the code would have to use setCookie

Causes a critical failure for es6 imports.

diff --git a/tiny-cookie.js b/tiny-cookie.js
index 69541d5..1cd479b 100644
--- a/tiny-cookie.js
+++ b/tiny-cookie.js
@@ -116,7 +116,7 @@
   Cookie.get = function(key, raw) {
     if (typeof key !== 'string' || !key) return null;
 
-    key = '(?:^|; )' + escapeRe(key) + '(?:=([^;]*?))?(?:;|$)';
+    key = '(?:^|; )' + escapeRe(key) + '(?:=([^;]*))?(?:;|$)';
 
     var reKey = new RegExp(key);
     var res = reKey.exec(document.cookie);

The asterisk already means 0 or N. Can we remove the question mark?

Since I moved to the latest version 2.4.0 and build the project and try to run it in production mode the site throws this error:
The project is built in SvelteKit.

(node:49975) Warning: To load an ES module, set "type": "module" in the package.json or use the .mjs extension. (Use node --trace-warnings ... to show where the warning was created) This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). The promise rejected with the reason: /Projects/sveltekit-sk/node_modules/tiny-cookie/dist/tiny-cookie.esm.js:168 export { get, getAll, getAll as getAllCookies, get as getCookie, getRaw, getRaw as getRawCookie, isEnabled as isCookieEnabled, isEnabled, remove, remove as removeCookie, set, set as setCookie, setRaw, setRaw as setRawCookie };

• Use ES2015+.
• Use npm scripts instead of gulp.
• Reorganize the directory: src for ES2015+ code, lib for ES5 code, dist for release code.
• Support CI test with phantomjs or headless chrome.
• Use mocha test framework.
• One command to start an HTTPS server.
• Add cookie related links.

References

• js-cookie
• cookies.js
• Cookies

Currently remove sets the cookie value to 'a' which is confusing and means (among other things) calling get afterwards returns a value which isn't expected if you've just removed the cookie.

I can't find anything online indicating that it's a bad idea to set a cookie without a value (it seems that omitting the = is being debated, but foo=; should be completely valid).

Use toUTCString() instead of toGMTString.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toGMTString

If you haven't set the path option, it will be current path.

Importing tiny-cookie via babel appears to return undefined in v2.0.1:
https://gist.github.com/mogelbrod/2b0dc06094fae5ce460889d89bec5c62

babel-node index.js outputs undefined for me using the set up defined in the gist above.

Installed npm modules:

$ npm list --depth 1
[email protected] /Users/victor/src/test-cookie
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
└── [email protected]

"main" in package.json seems to point to lib/tiny-cookie.js, but there is no such file. Is there some reasoning behind this? To get the library to work with browserify, I added the following to my package.json:

  "browser": {
    "tiny-cookie": "tiny-cookie/dist/tiny-cookie.js"
  },

For record

Check the below links:

• Modernizr/Modernizr#666
• http://stackoverflow.com/questions/6125330/javascript-navigator-cookieenabled-browser-compatibility
• https://developer.mozilla.org/en-US/docs/Web/API/Navigator/cookieEnabled

While, in actually, JSON encoding and decoding is used rarely with cookie. At least, I never use it. But we can support it with an abstract transformer. JSON.stringify and encodeURIComponent are both encode transformer, JSON.parse and decodeURIComponent are both decode transformer. So we can make the code concise and extensible.

See the MDN's document: Secure and HttpOnly cookies

Or is this impossible, considering this is a JS lib?

At the moment setCookie takes 4 arguments (only 3 of them are documented though).
encoder is an optional argument but for some reason, it's not the last one. And it results in inconsistency:

setCookie('key', 'value'); // encoder == encodeURIComponent

but

setCookie('key', 'value', { domain: 'some.domain' }); // encoder == null

So, I would suggest to make encoder the last argument and also document it.
I can create a PR.

• Rewrite in TypeScript
• Support conditional exports
• Upgrade development dependencies
• Change eslint config
• Use Github Actions instead of Travis CI
• Rename branch "master" to "main"

I noticed that after upgrading to version 2.0, this package is no longer working in IE 11.

CI tests: https://travis-ci.org/github/Alex1990/tiny-cookie/jobs/662341580?utm_medium=notification&utm_source=github_status

See related issue in uglify: mishoo/UglifyJS#3394

feature request: would be nice if there was a /dist/tiny-cookie.umd.js builld.

Thanks!
-Ben

I am unable to remove cookies that have been set with a custom domain using the remove function, instead having to call set with a negative expires value.

One solution would be to allow options to be passed to remove.

tinyCookie.set('test', '1', {expires: 180, domain: 'custom.tld'}) // exposes cookie on *.custom.tld
tinyCookie.remove('test') // doesn't remove cookie
tinyCookie.set('test', '1', {expires: -1, domain: 'custom.tld'}) // removes cookie

When scanning a site which uses tiny-cookie through a service like https://www.onetrust.com/, we see an increased number in the reports of the @key@-cookie.

That's because the @key@-cookie is set to a relative path (eg. /features/foo, /features/bar) instead of a root path /.

Would you be open to a change, where the cookie path is updated to root (/)?
The changes would look like this:

- document.cookie = `${key}=${value}`;
+ document.cookie = `${key}=${value}; path=/`;