feat: add none as a valid sameSite option

HISTORY.md

@@ -3,6 +3,7 @@ unreleased
 
   * Fix check for default `secure` option behavior
   * Fix `maxAge` option preventing cookie deletion
+  * Support `"none"` in `sameSite` option
   * deps: depd@~2.0.0
     - Replace internal `eval` usage with `Function` constructor
     - Use instance methods on `process` to check for listeners

index.js

@@ -26,7 +26,7 @@ var fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/;
  * RegExp to match Same-Site cookie attribute value.
  */
 
-var sameSiteRegExp = /^(?:lax|strict)$/i
+var SAME_SITE_REGEXP = /^(?:lax|none|strict)$/i
 
 function Cookies(request, response, options) {
   if (!(this instanceof Cookies)) return new Cookies(request, response, options)
@@ -146,7 +146,7 @@ function Cookie(name, value, attrs) {
     throw new TypeError('option domain is invalid');
   }
 
-  if (this.sameSite && this.sameSite !== true && !sameSiteRegExp.test(this.sameSite)) {
+  if (this.sameSite && this.sameSite !== true && !SAME_SITE_REGEXP.test(this.sameSite)) {
     throw new TypeError('option sameSite is invalid')
   }
 }

test/cookie.js

@@ -95,6 +95,13 @@ describe('new Cookie(name, value, [options])', function () {
         })
       })
 
+      describe('when set to "none"', function () {
+        it('should set "samesite=none" attribute in header', function () {
+          var cookie = new cookies.Cookie('foo', 'bar', { sameSite: 'none' })
+          assert.equal(cookie.toHeader(), 'foo=bar; path=/; samesite=none; httponly')
+        })
+      })
+
       describe('when set to "strict"', function () {
         it('should set "samesite=strict" attribute in header', function () {
           var cookie = new cookies.Cookie('foo', 'bar', { sameSite: 'strict' })