Adds setCookieSameSite security option.
#13
Conversation
SameSite is an interesting cookie option that asserts that a cookie should not be included in cross-origin requests. This commit adds a sum type `SameSiteOption` and a function `setCookieSameSite` for interacting with this option. Here is the draft: https://tools.ietf.org/html/draft-west-first-party-cookies-07
Web/Cookie.hs
Outdated
| rnf g `seq` | ||
| rnf h | ||
| rnf h `seq` | ||
| rnfMBS i |
There was a problem hiding this comment.
This doesn't look correct. Why not define a NFData instance for SameSiteOption and then use rnf?
There was a problem hiding this comment.
Actually, my comment was to then replace rnfMBS i with rnf i
Web/Cookie.hs
Outdated
| , setCookieHttpOnly | ||
| , setCookieSecure | ||
| , setCookieSameSite | ||
| , SameSiteOption(..) |
There was a problem hiding this comment.
If you aren't opposed, I'd rather switch to smart constructors in case additional SameSiteOption values become valid in the future. I can make that tweak myself if you're OK with it, or you can. What I would picture is:
- Only expose the
SameSiteOptiontype, not its constructors - Provide
sameSiteLax :: SameSiteOptionandsameSiteStrict :: SameSiteOptionexports
There was a problem hiding this comment.
That sounds good to me. Added in 4ca5673
Web/Cookie.hs
Outdated
| , setCookieHttpOnly = isJust $ lookup "httponly" flags | ||
| , setCookieSecure = isJust $ lookup "secure" flags | ||
| , setCookieSameSite = case lookup "samesite" flags of | ||
| Just "Lax" -> Just Lax |
There was a problem hiding this comment.
just noticed the indentation here is a little off, fixing
|
Awesome, merged. I added a small fix to the new |
SameSite is an interesting cookie option that asserts that a cookie
should not be included in cross-origin requests. This commit adds a sum
type
SameSiteOptionand a functionsetCookieSameSitefor interactingwith this option.
Here is the draft: https://tools.ietf.org/html/draft-west-first-party-cookies-07