cookie: Change default same-site value to Lax

As per https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-00,
the default value is now Lax.

This change was introduced in Chrome 80 and Firefox 96.

4 files changed, 22 insertions, 10 deletions

diff --git a/libsoup/cookies/soup-cookie-jar-text.c b/libsoup/cookies/soup-cookie-jar-text.c
index 274da259..cea09045 100644
--- a/libsoup/cookies/soup-cookie-jar-text.c
+++ b/libsoup/cookies/soup-cookie-jar-text.c
@@ -137,7 +137,7 @@ string_to_same_site_policy (const char *string)
 	else if (strcmp (string, "None") == 0)
 		return SOUP_SAME_SITE_POLICY_NONE;
 	else
-		g_return_val_if_reached (SOUP_SAME_SITE_POLICY_NONE);
+		g_return_val_if_reached (SOUP_SAME_SITE_POLICY_LAX);
 }
 
 static const char *
@@ -152,7 +152,7 @@ same_site_policy_to_string (SoupSameSitePolicy policy)
 		return "None";
 	}
 
-	g_return_val_if_reached ("None");
+	g_return_val_if_reached ("Lax");
 }
 
 static SoupCookie*
diff --git a/libsoup/cookies/soup-cookie.c b/libsoup/cookies/soup-cookie.c
index deb62009..0945d632 100644
--- a/libsoup/cookies/soup-cookie.c
+++ b/libsoup/cookies/soup-cookie.c
@@ -170,6 +170,7 @@ parse_one_cookie (const char *header, GUri *origin)
 	SoupCookie *cookie;
 
 	cookie = g_slice_new0 (SoupCookie);
+	soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_LAX);
 
 	/* Parse the NAME */
 	start = skip_lws (header);
@@ -233,15 +234,15 @@ parse_one_cookie (const char *header, GUri *origin)
 		} else if (MATCH_NAME ("samesite")) {
 			if (has_value) {
 				char *policy = parse_value (&p, TRUE);
-				if (g_ascii_strcasecmp (policy, "Lax") == 0)
-					soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_LAX);
+				if (g_ascii_strcasecmp (policy, "None") == 0)
+					soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_NONE);
 				else if (g_ascii_strcasecmp (policy, "Strict") == 0)
 					soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_STRICT);
-				/* There is an explicit "None" value which is the default. */
+				/* There is an explicit "Lax" value which is the default */
 				g_free (policy);
 			}
 			/* Note that earlier versions of the same-site RFC treated invalid values as strict but
-			   the latest revision simply ignores them. */
+			   the latest revision assigns invalid SameSite values to Lax. */
 		} else {
 			/* Ignore unknown attributes, but we still have
 			 * to skip over the value.
@@ -328,6 +329,7 @@ cookie_new_internal (const char *name, const char *value,
 	cookie->domain = g_strdup (domain);
 	cookie->path = g_strdup (path);
 	soup_cookie_set_max_age (cookie, max_age);
+	cookie->same_site_policy = SOUP_SAME_SITE_POLICY_LAX;
 
 	return cookie;
 }
@@ -359,6 +361,9 @@ cookie_new_internal (const char *name, const char *value,
  * about setting the exact time that the cookie will expire, use
  * [method@Cookie.set_expires].)
  *
+ * As of version 3.4.0 the default value of a cookie's same-site-policy
+ * is %SOUP_SAME_SITE_POLICY_LAX.
+ *
  * Returns: a new #SoupCookie.
  **/
 SoupCookie *
@@ -397,6 +402,9 @@ soup_cookie_new (const char *name, const char *value,
  * appropriate string for the domain if you want to actually make use
  * of the cookie.
  *
+ * As of version 3.4.0 the default value of a cookie's same-site-policy
+ * is %SOUP_SAME_SITE_POLICY_LAX.
+ *
  * Returns: (nullable): a new #SoupCookie, or %NULL if it could
  *   not be parsed, or contained an illegal "domain" attribute for a
  *   cookie originating from @origin.
diff --git a/tests/cookies-test.c b/tests/cookies-test.c
index eaf26518..1b71ad48 100644
--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
@@ -332,11 +332,12 @@ do_cookies_parsing_test (void)
 			got1 = TRUE;
 			g_assert_true (soup_cookie_get_http_only (cookie));
 			g_assert_true (soup_cookie_get_expires (cookie) != NULL);
+			g_assert_cmpint (soup_cookie_get_same_site_policy (cookie), ==, SOUP_SAME_SITE_POLICY_LAX);
 		} else if (!strcmp (soup_cookie_get_name (cookie), "two")) {
 			got2 = TRUE;
 			g_assert_true (soup_cookie_get_http_only (cookie));
 			g_assert_true (soup_cookie_get_expires (cookie) != NULL);
-			g_assert_cmpint (soup_cookie_get_same_site_policy (cookie), ==, SOUP_SAME_SITE_POLICY_NONE);
+			g_assert_cmpint (soup_cookie_get_same_site_policy (cookie), ==, SOUP_SAME_SITE_POLICY_LAX);
 		} else if (!strcmp (soup_cookie_get_name (cookie), "three")) {
 			got3 = TRUE;
 			g_assert_true (soup_cookie_get_http_only (cookie));
diff --git a/tests/samesite-test.c b/tests/samesite-test.c
index 4b6884d8..91d31216 100644
--- a/tests/samesite-test.c
+++ b/tests/samesite-test.c
@@ -13,21 +13,24 @@ static void
 same_site_setup (SameSiteFixture *fixture,
                  gconstpointer    data)
 {
-	SoupCookie *cookie_none, *cookie_lax, *cookie_strict;
+	SoupCookie *cookie_none, *cookie_lax, *cookie_strict, *cookie_default;
 
 	fixture->origin_uri = g_uri_parse ("http://127.0.0.1", SOUP_HTTP_URI_FLAGS, NULL);
 	fixture->cross_uri = g_uri_parse ("http://localhost", SOUP_HTTP_URI_FLAGS, NULL);
 	fixture->jar = soup_cookie_jar_new ();
 
 	cookie_none = soup_cookie_new ("none", "1", "127.0.0.1", "/", 1000);
+	soup_cookie_set_same_site_policy (cookie_none, SOUP_SAME_SITE_POLICY_NONE);
 	cookie_lax = soup_cookie_new ("lax", "1", "127.0.0.1", "/", 1000);
 	soup_cookie_set_same_site_policy (cookie_lax, SOUP_SAME_SITE_POLICY_LAX);
 	cookie_strict = soup_cookie_new ("strict", "1", "127.0.0.1", "/", 1000);
 	soup_cookie_set_same_site_policy (cookie_strict, SOUP_SAME_SITE_POLICY_STRICT);
+	cookie_default = soup_cookie_new ("default", "1", "127.0.0.1", "/", 1000);
 
 	soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_none);
 	soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_lax);
 	soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_strict);
+	soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_default);
 }
 
 static void
@@ -52,10 +55,10 @@ assert_highest_policy_visible (GSList *cookies, SoupSameSitePolicy policy)
 
 	switch (policy) {
 	case SOUP_SAME_SITE_POLICY_STRICT:
-		expected_count = 3;
+		expected_count = 4;
 		break;
 	case SOUP_SAME_SITE_POLICY_LAX:
-		expected_count = 2;
+		expected_count = 3;
 		break;
 	case SOUP_SAME_SITE_POLICY_NONE:
 		expected_count = 1;