cookie: Change default same-site value to Lax

As per https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-00,
the default value is now Lax.

This change was introduced in Chrome 80 and Firefox 96.

2 files changed, 14 insertions, 6 deletions

diff --git a/libsoup/cookies/soup-cookie-jar-text.c b/libsoup/cookies/soup-cookie-jar-text.c
index 274da259..cea09045 100644
--- a/libsoup/cookies/soup-cookie-jar-text.c
+++ b/libsoup/cookies/soup-cookie-jar-text.c
@@ -137,7 +137,7 @@ string_to_same_site_policy (const char *string)
 	else if (strcmp (string, "None") == 0)
 		return SOUP_SAME_SITE_POLICY_NONE;
 	else
-		g_return_val_if_reached (SOUP_SAME_SITE_POLICY_NONE);
+		g_return_val_if_reached (SOUP_SAME_SITE_POLICY_LAX);
 }
 
 static const char *
@@ -152,7 +152,7 @@ same_site_policy_to_string (SoupSameSitePolicy policy)
 		return "None";
 	}
 
-	g_return_val_if_reached ("None");
+	g_return_val_if_reached ("Lax");
 }
 
 static SoupCookie*
diff --git a/libsoup/cookies/soup-cookie.c b/libsoup/cookies/soup-cookie.c
index deb62009..0945d632 100644
--- a/libsoup/cookies/soup-cookie.c
+++ b/libsoup/cookies/soup-cookie.c
@@ -170,6 +170,7 @@ parse_one_cookie (const char *header, GUri *origin)
 	SoupCookie *cookie;
 
 	cookie = g_slice_new0 (SoupCookie);
+	soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_LAX);
 
 	/* Parse the NAME */
 	start = skip_lws (header);
@@ -233,15 +234,15 @@ parse_one_cookie (const char *header, GUri *origin)
 		} else if (MATCH_NAME ("samesite")) {
 			if (has_value) {
 				char *policy = parse_value (&p, TRUE);
-				if (g_ascii_strcasecmp (policy, "Lax") == 0)
-					soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_LAX);
+				if (g_ascii_strcasecmp (policy, "None") == 0)
+					soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_NONE);
 				else if (g_ascii_strcasecmp (policy, "Strict") == 0)
 					soup_cookie_set_same_site_policy (cookie, SOUP_SAME_SITE_POLICY_STRICT);
-				/* There is an explicit "None" value which is the default. */
+				/* There is an explicit "Lax" value which is the default */
 				g_free (policy);
 			}
 			/* Note that earlier versions of the same-site RFC treated invalid values as strict but
-			   the latest revision simply ignores them. */
+			   the latest revision assigns invalid SameSite values to Lax. */
 		} else {
 			/* Ignore unknown attributes, but we still have
 			 * to skip over the value.
@@ -328,6 +329,7 @@ cookie_new_internal (const char *name, const char *value,
 	cookie->domain = g_strdup (domain);
 	cookie->path = g_strdup (path);
 	soup_cookie_set_max_age (cookie, max_age);
+	cookie->same_site_policy = SOUP_SAME_SITE_POLICY_LAX;
 
 	return cookie;
 }
@@ -359,6 +361,9 @@ cookie_new_internal (const char *name, const char *value,
  * about setting the exact time that the cookie will expire, use
  * [method@Cookie.set_expires].)
  *
+ * As of version 3.4.0 the default value of a cookie's same-site-policy
+ * is %SOUP_SAME_SITE_POLICY_LAX.
+ *
  * Returns: a new #SoupCookie.
  **/
 SoupCookie *
@@ -397,6 +402,9 @@ soup_cookie_new (const char *name, const char *value,
  * appropriate string for the domain if you want to actually make use
  * of the cookie.
  *
+ * As of version 3.4.0 the default value of a cookie's same-site-policy
+ * is %SOUP_SAME_SITE_POLICY_LAX.
+ *
  * Returns: (nullable): a new #SoupCookie, or %NULL if it could
  *   not be parsed, or contained an illegal "domain" attribute for a
  *   cookie originating from @origin.