Removal of "secure" breaks "SameSite=None"

[gavenkoa]

The plugin has code:

/* On insecure connections, remove `secure` attribute from remote cookies */
const setCookies = remoteRes.headers['set-cookie']
if (!ctx.req.socket.encrypted && !lws.config.rewriteKeepSecureAttr && setCookies && setCookies.length) {
  const cookies = setCookies.map(c => util.removeCookieAttribute(c, 'secure'))
  remoteRes.headers['set-cookie'] = cookies
}

If secure attribute is removed but there is "SameSite=None" a browser rejects cookie, breaking all login pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie for exact error message in a browser DevTools:

Cookie "myCookie" rejected because it has the "SameSite=None" attribute but is missing the "secure" attribute.
This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".

Consider removing SameSite=None together with secure. Other values of SameSite are safe without secure.

[75lb]

Have you tried removing SameSite=none along with secure and verified it works for you?

Also, just a reminder there is a flag you can set to override secure stripping:

  --rewrite.keep-secure-attr       When local-web-server is running in plain, insecure HTTP mode (not HTTPS or
                                   HTTP2), stripping the `secure` attribute from remote, rewrite-target cookies
                                   is the default behaviour. Set this flag to leave remote `secure` cookies
                                   untouched - this may prevent cookies functioning correctly when your server
                                   is plain HTTP.

[gavenkoa]

I didn't remote SameSite=None, instead I changed the source to pass SameSite=Lax as a workaround.

As we proxy API to http://localhost:3000 for Next.js static app build, pointing to STAGE env for API served via https://..., the removal of secure attribute is a correct behavior.

Breaking thing is keeping SameSite=None, when secure is removed. SameSite=None cannot be without secure in modern browsers - the Set-Cookie ignored in this case. For local development with traditional Node.js http://localhost:3000 - both should be stripped.

[75lb]

The fix has landed in lws-rewrite v4.0.0, will post against once I've added it to local-web-server..

[75lb]

Fixed and released in local-web-server v5.4.0