From fb2c36a0b3c1f2bce4d57b062d3b88688de3560f Mon Sep 17 00:00:00 2001
From: Rob Ede <robjtede@icloud.com>
Date: Thu, 16 Jan 2020 13:38:34 +0000
Subject: [PATCH] allow explicit SameSite=None cookies

fixes #1035
---
 actix-http/src/cookie/draft.rs | 16 ++++++++++++----
 actix-http/src/cookie/mod.rs   |  6 ++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/actix-http/src/cookie/draft.rs b/actix-http/src/cookie/draft.rs
index a2b03912130..175920ecf5b 100644
--- a/actix-http/src/cookie/draft.rs
+++ b/actix-http/src/cookie/draft.rs
@@ -10,18 +10,26 @@ use std::fmt;
 /// attribute is "Strict", then the cookie is never sent in cross-site requests.
 /// If the `SameSite` attribute is "Lax", the cookie is only sent in cross-site
 /// requests with "safe" HTTP methods, i.e, `GET`, `HEAD`, `OPTIONS`, `TRACE`.
-/// If the `SameSite` attribute is not present (made explicit via the
-/// `SameSite::None` variant), then the cookie will be sent as normal.
+/// If the `SameSite` attribute is not present then the cookie will be sent as
+/// normal. In some browsers, this will implicitly handle the cookie as if "Lax"
+/// and in others, "None". It's best to explicity set the `SameSite` attribute
+/// to avoid inconsistent behavior.
+/// 
+/// **Note:** Depending on browser, the `Secure` attribute may be required for
+/// `SameSite` "None" cookies to be accepted.
 ///
 /// **Note:** This cookie attribute is an HTTP draft! Its meaning and definition
 /// are subject to change.
+/// 
+/// More info about these draft changes can be found in the draft spec:
+/// - https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
 pub enum SameSite {
     /// The "Strict" `SameSite` attribute.
     Strict,
     /// The "Lax" `SameSite` attribute.
     Lax,
-    /// No `SameSite` attribute.
+    /// The "None" `SameSite` attribute.
     None,
 }
 
@@ -92,7 +100,7 @@ impl fmt::Display for SameSite {
         match *self {
             SameSite::Strict => write!(f, "Strict"),
             SameSite::Lax => write!(f, "Lax"),
-            SameSite::None => Ok(()),
+            SameSite::None => write!(f, "None"),
         }
     }
 }
diff --git a/actix-http/src/cookie/mod.rs b/actix-http/src/cookie/mod.rs
index 13fd5cf4e6a..d9db600ea57 100644
--- a/actix-http/src/cookie/mod.rs
+++ b/actix-http/src/cookie/mod.rs
@@ -746,9 +746,7 @@ impl<'c> Cookie<'c> {
         }
 
         if let Some(same_site) = self.same_site() {
-            if !same_site.is_none() {
-                write!(f, "; SameSite={}", same_site)?;
-            }
+            write!(f, "; SameSite={}", same_site)?;
         }
 
         if let Some(path) = self.path() {
@@ -1037,7 +1035,7 @@ mod tests {
         let cookie = Cookie::build("foo", "bar")
             .same_site(SameSite::None)
             .finish();
-        assert_eq!(&cookie.to_string(), "foo=bar");
+        assert_eq!(&cookie.to_string(), "foo=bar; SameSite=None");
     }
 
     #[test]