optimize cookie serialization and set sameSite to strict by default, to prepare for browser changes

Author: adrai

CHANGELOG.md

@@ -1,3 +1,7 @@
+### 5.0.1
+
+- optimize cookie serialization and set sameSite to strict by default, to prepare for browser changes
+
 ### 5.0.0
 
 - **BREAKING** needs i18next >= 19.5.0

README.md

@@ -66,7 +66,7 @@ As with all modules you can either pass the constructor function (class) to the
   htmlTag: document.documentElement,
 
   // optional set cookie options, reference:[MDN Set-Cookie docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)
-  cookieOptions: {path:'/'}
+  cookieOptions: { path: '/', sameSite: 'strict' }
 }
 ```
 

i18nextBrowserLanguageDetector.js

@@ -40,26 +40,90 @@
     return obj;
   }
 
+  // eslint-disable-next-line no-control-regex
+  var fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/;
+
+  var serializeCookie = function serializeCookie(name, val, options) {
+    var opt = options || {};
+    opt.path = opt.path || '/';
+    var value = encodeURIComponent(val);
+    var str = name + '=' + value;
+
+    if (opt.maxAge > 0) {
+      var maxAge = opt.maxAge - 0;
+      if (isNaN(maxAge)) throw new Error('maxAge should be a Number');
+      str += '; Max-Age=' + Math.floor(maxAge);
+    }
+
+    if (opt.domain) {
+      if (!fieldContentRegExp.test(opt.domain)) {
+        throw new TypeError('option domain is invalid');
+      }
+
+      str += '; Domain=' + opt.domain;
+    }
+
+    if (opt.path) {
+      if (!fieldContentRegExp.test(opt.path)) {
+        throw new TypeError('option path is invalid');
+      }
+
+      str += '; Path=' + opt.path;
+    }
+
+    if (opt.expires) {
+      if (typeof opt.expires.toUTCString !== 'function') {
+        throw new TypeError('option expires is invalid');
+      }
+
+      str += '; Expires=' + opt.expires.toUTCString();
+    }
+
+    if (opt.httpOnly) str += '; HttpOnly';
+    if (opt.secure) str += '; Secure';
+
+    if (opt.sameSite) {
+      var sameSite = typeof opt.sameSite === 'string' ? opt.sameSite.toLowerCase() : opt.sameSite;
+
+      switch (sameSite) {
+        case true:
+          str += '; SameSite=Strict';
+          break;
+
+        case 'lax':
+          str += '; SameSite=Lax';
+          break;
+
+        case 'strict':
+          str += '; SameSite=Strict';
+          break;
+
+        case 'none':
+          str += '; SameSite=None';
+          break;
+
+        default:
+          throw new TypeError('option sameSite is invalid');
+      }
+    }
+
+    return str;
+  };
+
   var cookie = {
     create: function create(name, value, minutes, domain) {
       var cookieOptions = arguments.length > 4 && arguments[4] !== undefined ? arguments[4] : {
-        path: '/'
+        path: '/',
+        sameSite: 'strict'
       };
-      var expires;
 
       if (minutes) {
-        var date = new Date();
-        date.setTime(date.getTime() + minutes * 60 * 1000);
-        expires = '; expires=' + date.toUTCString();
-      } else expires = '';
-
-      domain = domain ? 'domain=' + domain + ';' : '';
-      cookieOptions = Object.keys(cookieOptions).reduce(function (acc, key) {
-        return acc + ';' + key.replace(/([A-Z])/g, function ($1) {
-          return '-' + $1.toLowerCase();
-        }) + '=' + cookieOptions[key];
-      }, '');
-      document.cookie = name + '=' + encodeURIComponent(value) + expires + ';' + domain + cookieOptions;
+        cookieOptions.expires = new Date();
+        cookieOptions.expires.setTime(cookieOptions.expires.getTime() + minutes * 60 * 1000);
+      }
+
+      if (domain) cookieOptions.domain = domain;
+      document.cookie = serializeCookie(name, encodeURIComponent(value), cookieOptions);
     },
     read: function read(name) {
       var nameEQ = name + '=';

i18nextBrowserLanguageDetector.min.js

@@ -1,16 +1,66 @@
+// eslint-disable-next-line no-control-regex
+const fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/
+
+const serializeCookie = (name, val, options) => {
+  const opt = options || {}
+  opt.path = opt.path || '/'
+  const value = encodeURIComponent(val)
+  let str = name + '=' + value
+  if (opt.maxAge > 0) {
+    const maxAge = opt.maxAge - 0
+    if (isNaN(maxAge)) throw new Error('maxAge should be a Number')
+    str += '; Max-Age=' + Math.floor(maxAge)
+  }
+  if (opt.domain) {
+    if (!fieldContentRegExp.test(opt.domain)) {
+      throw new TypeError('option domain is invalid')
+    }
+    str += '; Domain=' + opt.domain
+  }
+  if (opt.path) {
+    if (!fieldContentRegExp.test(opt.path)) {
+      throw new TypeError('option path is invalid')
+    }
+    str += '; Path=' + opt.path
+  }
+  if (opt.expires) {
+    if (typeof opt.expires.toUTCString !== 'function') {
+      throw new TypeError('option expires is invalid')
+    }
+    str += '; Expires=' + opt.expires.toUTCString()
+  }
+  if (opt.httpOnly) str += '; HttpOnly'
+  if (opt.secure) str += '; Secure'
+  if (opt.sameSite) {
+    const sameSite = typeof opt.sameSite === 'string' ? opt.sameSite.toLowerCase() : opt.sameSite
+    switch (sameSite) {
+      case true:
+        str += '; SameSite=Strict'
+        break
+      case 'lax':
+        str += '; SameSite=Lax'
+        break
+      case 'strict':
+        str += '; SameSite=Strict'
+        break
+      case 'none':
+        str += '; SameSite=None'
+        break
+      default:
+        throw new TypeError('option sameSite is invalid')
+    }
+  }
+  return str
+}
+
 let cookie = {
-  create: function(name,value,minutes,domain,cookieOptions = {path: '/'}) {
-    let expires;
+  create: function(name, value, minutes, domain, cookieOptions = { path: '/', sameSite: 'strict' }) {
     if (minutes) {
-      let date = new Date();
-      date.setTime(date.getTime() + (minutes * 60 * 1000));
-      expires = '; expires=' + date.toUTCString();
-    } 
-    else expires = '';
-    domain = domain ? 'domain=' + domain + ';' : '';
-    cookieOptions = Object.keys(cookieOptions).reduce((acc, key) => acc + ';' + 
-    key.replace(/([A-Z])/g, ($1) => '-' + $1.toLowerCase()) + '=' + cookieOptions[key], '',);
-    document.cookie = name + '=' + encodeURIComponent(value) + expires + ';' + domain + cookieOptions;
+      cookieOptions.expires = new Date();
+      cookieOptions.expires.setTime(cookieOptions.expires.getTime() + (minutes * 60 * 1000));
+    }
+    if (domain) cookieOptions.domain = domain;
+    document.cookie = serializeCookie(name, encodeURIComponent(value), cookieOptions);
   },
 
   read: function(name) {

src/browserLookups/cookie.js

@@ -22,7 +22,7 @@ describe('language detector', () => {
       }
       ld.cacheUserLanguage('it', ['cookie'])
       expect(global.document.cookie).to.match(/i18next=it/)
-      expect(global.document.cookie).to.match(/path=\//)
+      expect(global.document.cookie).to.match(/Path=\//)
       // expect(global.document.cookie).to.match(/my=cookie/)
     })
   })