feat: add none as a valid sameSite option

[panva]

Resources:

• https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03
• https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
• https://web.dev/samesite-cookies-explained/#other-languages-and-platforms

closes #109

[dougwilson]

Hi @panva thank you so much for putting this together! I am working to kick off the 0.8 branch to include the 0.8 milestone items in (including both your PRs) to get them out there very soon!

[panva]

@dougwilson - can I somehow help with the 0.8 release? as this module is required by koa for handling cookies the absence of none as a possible value is a bummer for people getting frameworks ready for the chrome change.

Could we just merge this into the 0.7.x release without thinking about 0.8? Below 1.0.0 under semver this is a new feature which should not warrant 0.8 breaking change. That would mean koa does not have to have a new release with a new semver range included too.

[dougwilson]

The reason this is 0.8 is because it is a new feature, and since there are no rules in 0.x, I try to follow the path vs feature ones. Semver FAQ recommends also just bumping the minor part in the 0.x series for simplicity. But really, that has nothing to do with this not landing yet and the stuff slated for 0.8 above is not all required to land this.

Instead, from what I recall, there is an issue where another user objected to the way this pr was done and there was to be a discussion before landing this, which is why it was on hold. Did that discussion ever resolve?

[dougwilson]

It is unfortunate as you happened to bump this at just the wrong time :) my priority today will be to resolve pillarjs/hbs#176 . Ideally I can get that resolved and out there before I leave on a trip. Once I get back from said trip, I will come back to this PR and check on what the state of the discussion is on the linked issue.

If you can help get a consensus on there that would help a lot. Otherwise we are looking for I will circle back on this in two weeks' time, I promise.

[panva]

The issue was about allowing any value which I think there's a consensus on that its not needed. For now allowing a spec-defined value just like the other two is all that's needed.

If we could just land this in isolation and release soon it would be amazing. Other issues can probably wait for 0.9 then (milestone name change).

[dougwilson]

Yes, I will do so in 2 weeks.

[panva]

🙏

[dougwilson]

Hi all, I will be working to get this published today, after two other modules that just need security fixes released, but they should be straightforward.

[panva]

Thank you @dougwilson