Updated cookie SameSite policy for all cookies created

Author: msamprz

src/javascript/_common/language.js

@@ -26,7 +26,7 @@ const Language = (() => {
     const setCookieLanguage = (lang) => {
         if (!Cookies.get('language') || lang) {
             const cookie = new CookieStorage('language');
-            cookie.write((lang || getLanguage()).toUpperCase());
+            cookie.write((lang || getLanguage()).toUpperCase(), undefined, true, 'none');
         }
     };
 

src/javascript/_common/storage.js

@@ -136,28 +136,30 @@ CookieStorage.prototype = {
         }
         this.initialized = true;
     },
-    write(val, expireDate, isSecure) {
+    write(val, expireDate, isSecure, sameSite) {
         if (!this.initialized) this.read();
         this.value = val;
         if (expireDate) this.expires = expireDate;
         Cookies.set(this.cookie_name, this.value, {
-            expires: this.expires,
-            path   : this.path,
-            domain : this.domain,
-            secure : !!isSecure,
+            expires : this.expires,
+            path    : this.path,
+            domain  : this.domain,
+            secure  : !!isSecure,
+            sameSite: sameSite || 'strict',
         });
     },
     get(key) {
         if (!this.initialized) this.read();
         return this.value[key];
     },
-    set(key, val) {
+    set(key, val, options) {
         if (!this.initialized) this.read();
         this.value[key] = val;
         Cookies.set(this.cookie_name, this.value, {
             expires: new Date(this.expires),
             path   : this.path,
             domain : this.domain,
+            ...options,
         });
     },
     remove() {

src/javascript/app/base/footer.js

@@ -77,7 +77,7 @@ const Footer = (() => {
                         $dialog_notification.slideUp(200);
                         el_footer.style.paddingBottom = '0px';
                         $status_notification.css('bottom', `${gap_to_notification}px`);
-                        Cookies.set('CookieConsent', 1);
+                        Cookies.set('CookieConsent', 1, { sameSite: 'strict', secure: true });
                     });
                 window.addEventListener('resize', () => {
                     adjustElevioAndScrollup($dialog_notification.height() + gap_dialog_to_elevio,

src/javascript/app/base/interview_popup.js

@@ -22,13 +22,15 @@ const InterviewPopup = (() => {
                     $interview_popup.removeClass('invisible');
                 }, 2000);
                 $interview_no_thanks.one('click', () => {
-                    Cookies.set('InterviewConsent', 1);
+                    Cookies.set('InterviewConsent', 1, { sameSite: 'strict', secure: true });
                     $interview_popup.addClass('invisible');
                 });
                 $interview_ask_later.one('click', () => {
                     const interval_time = 1 / 12;
                     Cookies.set('InterviewConsent', 1, {
-                        expires: interval_time,
+                        expires : interval_time,
+                        sameSite: 'strict',
+                        secure  : true,
                     });
                     $interview_popup.addClass('invisible');
                 });
@@ -42,7 +44,7 @@ const InterviewPopup = (() => {
                         const pre_phone   = `&entry.1442583433=${get_settings.phone}`;
                         const encode_uri  =  (`${url}${pre_name}${pre_email}${pre_country}${pre_phone}`).replace(/\+/g, '%2B');
                         $interview_popup.addClass('invisible');
-                        Cookies.set('InterviewConsent', 1);
+                        Cookies.set('InterviewConsent', 1, { sameSite: 'strict', secure: true });
                         window.open(encode_uri, '_blank');
                     });
                 });

src/javascript/app/base/page.js

@@ -146,9 +146,11 @@ const Page = (() => {
         }
 
         Cookies.set('affiliate_tracking', cookie_hash, {
-            expires: 365, // expires in 365 days
-            path   : '/',
-            domain : `.${location.hostname.split('.').slice(-2).join('.')}`,
+            expires : 365, // expires in 365 days
+            path    : '/',
+            domain  : `.${location.hostname.split('.').slice(-2).join('.')}`,
+            sameSite: 'none',
+            secure  : true,
         });
         return true;
     };

src/javascript/app/common/guide.js

@@ -61,7 +61,7 @@ const Guide = (() => {
     const setDisabled = () => {
         if (!isDisabled()) {
             const disabled = Cookies.get(cookie_name);
-            Cookies.set(cookie_name, (!disabled ? opt.script : `${disabled},${opt.script}`));
+            Cookies.set(cookie_name, (!disabled ? opt.script : `${disabled},${opt.script}`), { sameSite: 'strict', secure: true });
         }
     };
 

src/javascript/app/common/traffic_source.js

@@ -51,7 +51,7 @@ const TrafficSource = (() => {
         if (params.utm_source) { // url params can be stored only if utm_source is available
             param_keys.map((key) => {
                 if (params[key] && !current_values[key]) {
-                    cookie.set(key, params[key]);
+                    cookie.set(key, params[key], { sameSite: 'none', secure: true });
                 }
             });
         }
@@ -68,7 +68,7 @@ const TrafficSource = (() => {
             referrer = doc_ref;
         }
         if (referrer && !current_values.referrer && !params.utm_source && !current_values.utm_source) {
-            cookie.set('referrer', (Url.getLocation(referrer)).hostname);
+            cookie.set('referrer', (Url.getLocation(referrer)).hostname, { sameSite: 'none', secure: true });
         }
     };
 

src/javascript/app/pages/user/account/authenticate.js

@@ -902,8 +902,9 @@ const Authenticate = (() => {
                 const token = response.service_token.token;
                 const in_90_minutes = 1 / 16;
                 Cookies.set('onfido_token', token, {
-                    expires: in_90_minutes,
-                    secure : true,
+                    expires : in_90_minutes,
+                    secure  : true,
+                    sameSite: 'strict',
                 });
                 resolve({ token });
             });
@@ -930,7 +931,7 @@ const Authenticate = (() => {
         }
 
         const service_token_response = await getOnfidoServiceToken();
-        
+
         if (
             service_token_response.error &&
             service_token_response.error.code === 'MissingPersonalDetails'
@@ -954,7 +955,7 @@ const Authenticate = (() => {
 
             $('#missing_personal_fields').html(error_msgs);
         }
-        
+
         const { identity, document } = authentication_status;
 
         const is_fully_authenticated = identity.status === 'verified' && document.status === 'verified';
@@ -965,7 +966,7 @@ const Authenticate = (() => {
             $('#authentication_tab').setVisibility(0);
             $('#authentication_verified').setVisibility(1);
         }
-        
+
         if (has_personal_details_error) {
             $('#personal_details_error').setVisibility(1);
         } else if (!identity.further_resubmissions_allowed) {
@@ -1036,7 +1037,7 @@ const Authenticate = (() => {
             $('#authentication_loading').setVisibility(0);
             $('#authentication_unneeded').setVisibility(1);
         }
-        
+
         const has_svg_account = Client.hasSvgAccount();
         if (is_required || has_svg_account){
             initTab();