Comments (3)
The treatment of cookies without a SameSite
attribute is to place them inside of a "default" enforcement domain which browsers may treat differently to lax, though they should be equivalent after some arbitrarily chosen time. Irrespective of this, the latest draft RFC does not raise any concerns about removing cookies with or without SameSite attributes, and I wouldn't expect browsers to trigger a warning on cookies not containing a SameSite attribute if they have an expiration date in the past. There's no point in doing so: the cookie will never be sent anywhere, so it can't possibly pose a security threat.
Do you have any evidence to indicate that browsers do or will do otherwise?
from cookie-rs.
I would agree with you here But here is one from firefox.
even if its a old Cookie it still checks them. which is something I would not expect either.
Edit: So we either need to set it to Lax or SameSite=None with secure set to true. which seems to be what they are focusing on.
from cookie-rs.
That feels like an issue for web browsers, not one that we should paper over here. The goal of this library is to be foundational and correct, not opinionated. For this reason, we don't arbitrarily set SameSite attributes, or any other attributes, for any cookies in this library, and I don't think we should automatically set them for removal cookies either, but this library liberally and conveniently allows setting them yourself. Should our position on that change, we can revisit this issue then. Until then, I'm closing this out.
Note: If you're using a web framework that uses this library, I would advocate that you raise an issue there. Web frameworks can be more opinionated. Rocket sets SameSite attributes automatically, for example. If it's not doing so for removal cookies, that sounds like an opportunity for improvement.
from cookie-rs.
Related Issues (20)
- Nightly detection does not take into account whether features can actually be used HOT 9
- Panic when verifying malformed signed cookie HOT 2
- Parse multiple cookies in single string? HOT 1
- 0.16 release HOT 3
- Replace base64 with base64ct HOT 5
- Iterator over all cookies from string HOT 1
- Removing cookies by name HOT 4
- Private, signed & key methods missing
- Why was ring removed? HOT 1
- Commas are not encoded correctly
- Cookie builder doesn't ignore leading dots (as the `FromStr` implementation does) HOT 4
- Use `std::time::Duration` instead of `time::duration::Duration` for `max-age` HOT 1
- Trait bound error after upgrading to 0.17.0 HOT 1
- Support for `__Host-` cookies HOT 4
- Question : SignedJar::verify_result HOT 2
- aes-gcm vulnerability HOT 1
- Additional Message Data for signing only. HOT 3
- Does cookie-rs support cookie "Partitioned" yet, please? HOT 1
- Custom Extensions in the Set-Cookie String
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookie-rs.