From 4d636d041a2466c860a9247edaa6aae736eca444 Mon Sep 17 00:00:00 2001
From: Ben Toews <mastahyeti@users.noreply.github.com>
Date: Tue, 15 Mar 2016 09:18:44 -0600
Subject: first-party cookies are now same-site cookies

remove use of `:first_party` option

pass along provided value

make the syntax more flexible

s/strict/Strict/
---
 HISTORY.md            |  4 ++++
 lib/rack/utils.rb     | 11 +++++++++--
 test/spec_response.rb | 24 ++++++++++++++++++------
 3 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/HISTORY.md b/HISTORY.md
index f7795c5b..2d3a8e36 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,3 +1,7 @@
+Tue Mar 15 15:18:44 2016 Ben Toews <mastahyeti@users.noreply.github.com>
+
+	* Backport support for the `SameSite` cookie attribute.
+
 Wed Jun 24 12:13:37 2015  Aaron Patterson <tenderlove@ruby-lang.org>
 
 	* Fix Ruby 1.8 backwards compatibility
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index ab36ed84..328f6554 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -311,13 +311,20 @@ module Rack
           rfc2822(value[:expires].clone.gmtime) if value[:expires]
         secure = "; secure"  if value[:secure]
         httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
-        first_party = "; First-Party" if value[:first_party]
+        same_site = if value[:same_site]
+          case value[:same_site]
+          when Symbol, String
+            "; SameSite=#{value[:same_site]}"
+          else
+            "; SameSite"
+          end
+        end
         value = value[:value]
       end
       value = [value] unless Array === value
       cookie = escape(key) + "=" +
         value.map { |v| escape v }.join("&") +
-        "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}#{first_party}"
+        "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}"
 
       case header["Set-Cookie"]
       when nil, ''
diff --git a/test/spec_response.rb b/test/spec_response.rb
index c0354934..bca892d6 100644
--- a/test/spec_response.rb
+++ b/test/spec_response.rb
@@ -97,17 +97,29 @@ describe Rack::Response do
     response["Set-Cookie"].should.equal "foo=bar"
   end
 
-  it "can set First-Party cookies" do
+  it "can set SameSite cookies with any truthy value" do
     response = Rack::Response.new
-    response.set_cookie "foo", {:value => "bar", :first_party => true}
-    response["Set-Cookie"].must_equal "foo=bar; First-Party"
+    response.set_cookie "foo", {:value => "bar", :same_site => Object.new}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite"
+  end
+
+  it "can set SameSite cookies with string value" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => "Lax"}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax"
+  end
+
+  it "can set SameSite cookies with symbol value" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :Strict}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
   end
 
   [ nil, false ].each do |non_truthy|
-    it "omits First-Party attribute given a #{non_truthy.inspect} value" do
+    it "omits SameSite attribute given a #{non_truthy.inspect} value" do
       response = Rack::Response.new
-      response.set_cookie "foo", {:value => "bar", :first_party => non_truthy}
-      response["Set-Cookie"].must_equal "foo=bar"
+      response.set_cookie "foo", {:value => "bar", :same_site => non_truthy}
+      response["Set-Cookie"].should.equal "foo=bar"
     end
   end
 
-- 
cgit v1.2.3-24-ge0c7