Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

@alicloud/cookie

Package Overview
Dependencies
Maintainers
0
Versions
123
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@alicloud/cookie - npm Package Compare versions

Comparing version 1.6.2 to 1.6.3-beta.1

build/cjs/const/index.js
build/cjs/util/can-set-cookies.js
build/cjs/util/should-use-chips.js
build/esm/const/index.js
build/esm/index.js
build/esm/types/index.js
build/esm/util/can-set-cookies.js
build/esm/util/delete-cookie.js
build/esm/util/get-all-cookies.js
build/esm/util/get-cookie.js
build/esm/util/get-domain.js
build/esm/util/get-expire-date.js
build/esm/util/set-cookie.js
build/esm/util/should-use-chips.js
build/types/const/index.d.ts
build/types/util/can-set-cookies.d.ts
build/types/util/should-use-chips.d.ts
docs/research-on-https-and-iframe.md

15

build/cjs/index.js

@@ -7,2 +7,8 @@ "use strict";

});
Object.defineProperty(exports, "canSetCookies", {
enumerable: true,
get: function get() {
return _canSetCookies.default;
}
});
Object.defineProperty(exports, "deleteCookie", {

@@ -26,2 +32,8 @@ enumerable: true,

});
Object.defineProperty(exports, "getCookies", {
enumerable: true,
get: function get() {
return _getAllCookies.default;
}
});
Object.defineProperty(exports, "setCookie", {

@@ -36,2 +48,3 @@ enumerable: true,

var _setCookie = _interopRequireDefault(require("./util/set-cookie"));
var _deleteCookie = _interopRequireDefault(require("./util/delete-cookie"));
var _deleteCookie = _interopRequireDefault(require("./util/delete-cookie"));
var _canSetCookies = _interopRequireDefault(require("./util/can-set-cookies"));

11

build/cjs/util/delete-cookie.js
"use strict";
var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
Object.defineProperty(exports, "__esModule", {

@@ -8,3 +7,3 @@ value: true

exports.default = deleteCookie;
var _setCookie = _interopRequireDefault(require("./set-cookie"));
var _setCookie2 = require("./set-cookie");
/**

@@ -16,8 +15,10 @@ * 删除 cookie,其实设置一个过期时间为此刻之前的时间,浏览器会自动清理过期的 cookie(其实这里设不设值都无所谓)

domain = _ref.domain,
path = _ref.path;
(0, _setCookie.default)(name, '', {
path = _ref.path,
partitioned = _ref.partitioned;
(0, _setCookie2._setCookie)(name, '', {
domain: domain,
path: path,
days: -1
days: -1,
partitioned: partitioned
});
}

1

build/cjs/util/get-all-cookies.js

@@ -31,5 +31,4 @@ "use strict";

}
return result;
}, {});
}

1

build/cjs/util/get-expire-date.js

@@ -11,3 +11,2 @@ "use strict";

}
var d = new Date(); // 过期时间

@@ -14,0 +13,0 @@

29

build/cjs/util/set-cookie.js

@@ -7,8 +7,13 @@ "use strict";

});
exports._setCookie = _setCookie;
exports.default = setCookie;
var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
var _deleteCookie = _interopRequireDefault(require("./delete-cookie"));
var _getExpireDate = _interopRequireDefault(require("./get-expire-date"));
var _getDomain = _interopRequireDefault(require("./get-domain"));
function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { (0, _defineProperty2.default)(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
/**
* 设置 cookie,默认为时间为 180 天,设置 extra.days 为 0 可以保存为 session cookie
*
*
* HTTP 下,非 Iframe、Iframe 不跨域、Iframe 跨子域(跨全域都不行)成功的测试用例:

@@ -32,3 +37,3 @@ *

*/
function setCookie(name, value) {
function _setCookie(name, value) {
var _ref = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {},

@@ -42,6 +47,8 @@ _ref$domain = _ref.domain,

sameSite0 = _ref.sameSite,
secure0 = _ref.secure;
secure0 = _ref.secure,
partitioned0 = _ref.partitioned;
var parts = ["".concat(name, "=").concat(encodeURIComponent(value)), "domain=".concat(domain), "path=".concat(path), "expires=".concat((0, _getExpireDate.default)(days))];
var sameSite = sameSite0;
var secure = secure0;
var partitioned = partitioned0;

@@ -59,3 +66,19 @@ // 自动 sameSite + secure

}
if (partitioned === true) {
parts.push('partitioned');
}
document.cookie = parts.join('; ');
}
function setCookie(name, value) {
var options = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {};
try {
// xxx: 先强行干掉所有分区 Cookie
(0, _deleteCookie.default)(name, _objectSpread(_objectSpread({}, options), {}, {
partitioned: true
}));
// xxx: 先只设置非分区 Cookie
_setCookie(name, value, options);
} catch (e) {
// 静默处理
}
}

6

build/types/index.d.ts

@@ -1,5 +0,7 @@

export { default as getAllCookies } from './util/get-all-cookies';
import { default as getAllCookies } from './util/get-all-cookies';
export { getAllCookies, getAllCookies as getCookies };
export { default as getCookie } from './util/get-cookie';
export { default as setCookie } from './util/set-cookie';
export { default as deleteCookie } from './util/delete-cookie';
export type { ICookieSetOptions as CookieSetOptions, ICookieDeleteOptions as CookieDeleteOptions } from './types';
export { default as canSetCookies } from './util/can-set-cookies';
export type { ICookieSetOptions, ICookieSetOptions as CookieSetOptions, ICookieDeleteOptions, ICookieDeleteOptions as CookieDeleteOptions } from './types';

1

build/types/types/index.d.ts

@@ -11,2 +11,3 @@ export interface ICookieOptions {

secure?: boolean;
partitioned?: boolean;
}

@@ -13,0 +14,0 @@ export interface ICookieSetOptions extends ICookieOptions {

2

build/types/util/delete-cookie.d.ts

@@ -5,2 +5,2 @@ import { ICookieDeleteOptions } from '../types';

*/
export default function deleteCookie(name: string, { domain, path }?: ICookieDeleteOptions): void;
export default function deleteCookie(name: string, { domain, path, partitioned }?: ICookieDeleteOptions): void;

3

build/types/util/set-cookie.d.ts

@@ -23,2 +23,3 @@ import { ICookieSetOptions } from '../types';

*/
export default function setCookie(name: string, value: string | number | boolean, { domain, path, days, sameSite: sameSite0, secure: secure0 }?: ICookieSetOptions): void;
export declare function _setCookie(name: string, value: string | number | boolean, { domain, path, days, sameSite: sameSite0, secure: secure0, partitioned: partitioned0 }?: ICookieSetOptions): void;
export default function setCookie(name: string, value: string | number | boolean, options?: ICookieSetOptions): void;

6

CHANGELOG.md
# CHANGELOG
## 1.6.0 @法海
* 由于 Chrome 即将开始强制禁用三方 Cookie,因此根据其 CHIPS 方案做了适配。
## 1.0.0 2020/11/30 @驳是
* 开源第一版
* 开源第一版。

24

package.json
{
"name": "@alicloud/cookie",
"version": "1.6.2",
"version": "1.6.3-beta.1",
"description": "ConsoleBase Cookie",

@@ -8,3 +8,3 @@ "license": "MIT",

"main": "build/cjs/index.js",
"module": "build/es/index.js",
"module": "build/esm/index.js",
"types": "build/types/index.d.ts",

@@ -18,14 +18,11 @@ "author": {

},
"keywords": [
"util",
"cookie"
],
"keywords": [],
"devDependencies": {
"@alicloud/console-toolkit-cli": "^1.2.30",
"@alicloud/console-toolkit-preset-component": "^1.2.61",
"@alicloud/demo-rc-elements": "^1.11.16",
"@alicloud/demo-rc-elements": "^1.13.0",
"@alicloud/ts-config": "^1.1.3",
"@types/react": "^17.0.48",
"@types/react": "^17.0.58",
"react": "^17.0.2",
"typescript": "^4.9.5"
"typescript": "^5.0.4"
},

@@ -38,7 +35,8 @@ "scripts": {

"build:bundle": "breezr build --engine webpack",
"build:typings": "tsc --outDir build/types --declaration --emitDeclarationOnly",
"build": "yarn build:esm && yarn build:cjs && yarn build:typings",
"clean": "rm -rf build"
"build:types": "tsc -p tsconfig-declaration.json --outDir build/types --declaration --emitDeclarationOnly",
"build": "yarn build:esm && yarn build:cjs && yarn build:types",
"clean": "rm -rf build",
"prepublishOnly": "yarn clean && yarn build"
},
"gitHead": "056768173dd99b5af268df646c8a09eb08648920"
"gitHead": "e3daf0b177915f37e8beae4ecee204d8c62f9507"
}

318

README.md
# @alicloud/cookie
yet... another 饼干的获取和操作工具
> (又一个)Cookie 的操作工具。
## INSTALL
## 何时使用
```shell
tnpm i @alicloud/cookie -S
```
需要读写浏览器 Cookie 时。本工具包有如下特点:
## APIs
* 无任何额外的依赖。
* 考虑了安全传输(HTTPS)和跨站点访问(iframe)的问题,以最佳实践设定 `SameSite` 和 `Secure` 字段。了解更多:《[在 HTTPS 和 iframe 下关于 SameSite + Secure 行为的研究][research-1]》
* 考虑了三方 Cookie 禁用的问题,以最佳实践设定 `Partitioned` 字段。
## getAllCookies
## API
获取当前页面可以访问到的全部 cookie。
### `getCookies()`
获取当前页面可以访问到的全部 Cookie。
```typescript
function getAllCookies(): object;
function getCookies(): Record<string, string>;
function getAllCookies(): Record<string, string>;
```
## getCookie
`getAllCookies()` 是一个别名。
获取单个 cookie
### `getCookie()`
获取当前页面可以访问到的某一个特定的 Cookie。
```typescript

@@ -29,18 +34,24 @@ function getCookie(name: string): string | undefined;

## setCookie
### `setCookie()`
设置 cookie,设置 cookie,默认为时间为 180 天,设置 extra.days 为 0 可以保存为 session cookie(expires 为空)
写 Cookie。
```typescript
function setCookie(name: string, value: string, extra: {
domain?: string; // 默认为当前页面的二级域名,如 `.aliyun.com`,如果是 IP 则为 IP,如 `127.0.0.1`
path?: string; // 默认 '/'
days?: number; // 默认 180,传入 `days: 0` 成为 session cookie
encoding?: boolean; // 默认 true,传入 `false` 可保存原始的值(比如 value 已经经过 base64 编码过)
// 默认为当前页面的二级域名,如 `.aliyun.com`
// 如果是 IP 则为 IP,如 `127.0.0.1`
domain?: string;
// 默认 '/'
path?: string;
// 默认 180,若传入 0 则 Cookie 的 expires 为空,即成为 Session Cookie
// 若传入 -1 则相当于删除 Cookie
days?: number;
// 默认 true,传入 false 可保存原始的值(比如 value 已经由 base64 编码过)
encoding?: boolean;
} = {}): void;
```
## deleteCookie
### `deleteCookie()`
删除 cookie,其实设置一个过期时间为此刻之前的时间,浏览器会自动清理过期的 cookie
删除特定 Cookie。本质上是设置 `expires` 为过去的时间,浏览器会自动清理过期的 Cookie。

@@ -54,269 +65,14 @@ ```typescript

## SameSite + Secure 以及 HTTPS 和 Iframe 的影响
### `canSetCookies()`
以下条件下:
嗅探是否可以在当前页写 Cookie。
* 协议
+ `http://`
+ `https://`
* iframe
+ 无
+ 不跨域
+ 跨子域
+ 跨全域
注意,如果浏览器只是禁用了三方 Cookie(而非完全禁用 Cookie 功能),那还是可以通过 CHIPS 方案在兼容的浏览器下写 Partitioned Cookie。
SameSite 和 Secure 各值:
> 由于本方法不接受参数,所以命名为复数,而非用来特指的单数。
* SameSite
+ undefined
+ Lax
+ Strict
+ None
* Secure
+ true
+ false
在各个浏览器:
* 浏览器
+ Firefox
+ Chrome
+ Safari
下对 set cookie 的影响。
### 测试脚本
注意,在 Iframe 下,需通过浏览器的 Console 切换到对应的 Iframe 上下文。
```javascript
(() => {
function setCookie(name, value, {
path = '/',
sameSite,
secure
} = {}) {
const parts = [
`${name}=${encodeURIComponent(value)}`,
// `domain=${domain}`,
`path=${path}`
];
if (sameSite !== undefined) {
parts.push(`sameSite=${sameSite}`);
}
if (secure !== undefined) {
parts.push(`secure=${secure}`);
}
document.cookie = parts.join('; ');
}
function getCookie(name) {
return document.cookie.split(/\s*;\s*/).reduce((result, v) => {
const [cookieName, cookieValue] = v.split('=');
try {
result[cookieName] = decodeURIComponent(cookieValue);
} catch (err) {
}
return result;
}, {})[name];
}
const TIME = Date.now();
const ITEMS = [undefined, 'Lax', 'Strict', 'None'].reduce((result, sameSite) => {
[undefined, true, false].forEach(secure => {
const name = `TEST_SameSite_${sameSite}__Secure_${secure}`;
const value = `${sameSite}_${secure}_${TIME}`;
setCookie(name, value, {
sameSite,
secure
});
const valueGet = getCookie(name);
result.push({
name,
value,
valueGet,
sameSite,
secure,
result: valueGet === value ? '✅' : '❌'
});
});
return result;
}, []);
console.table(ITEMS, ['sameSite', 'secure', 'result']);
})();
```typescript
function canSetCookies(): boolean;
```
### HTTP 非 Iframe
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ✅ | ✅ | ✅ |
| `undefined` | `true` | ❌ | ❌ | ❌ |
| `undefined` | `false` | ❌ | ❌ | ❌ |
| Lax | `undefined` | ✅ | ✅ | ✅ |
| Lax | `true` | ❌ | ❌ | ❌ |
| Lax | `false` | ❌ | ❌ | ❌ |
| Strict | `undefined` | ✅ | ✅ | ✅ |
| Strict | `true` | ❌ | ❌ | ❌ |
| Strict | `false` | ❌ | ❌ | ❌ |
| None | `undefined` | ❌ | ❌ | ✅ |
| None | `true` | ❌ | ❌ | ❌ |
| None | `false` | ❌ | ❌ | ❌ |
### HTTP Iframe 不跨域
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ✅ | ✅ | ✅ |
| `undefined` | `true` | ❌ | ❌ | ❌ |
| `undefined` | `false` | ❌ | ❌ | ❌ |
| Lax | `undefined` | ✅ | ✅ | ✅ |
| Lax | `true` | ❌ | ❌ | ❌ |
| Lax | `false` | ❌ | ❌ | ❌ |
| Strict | `undefined` | ✅ | ✅ | ✅ |
| Strict | `true` | ❌ | ❌ | ❌ |
| Strict | `false` | ❌ | ❌ | ❌ |
| None | `undefined` | ❌ | ❌ | ✅ |
| None | `true` | ❌ | ❌ | ❌ |
| None | `false` | ❌ | ❌ | ❌ |
### HTTP(Iframe 跨子域)
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ✅ | ✅ | ✅ |
| `undefined` | `true` | ❌ | ❌ | ❌ |
| `undefined` | `false` | ❌ | ❌ | ❌ |
| Lax | `undefined` | ✅ | ✅ | ✅ |
| Lax | `true` | ❌ | ❌ | ❌ |
| Lax | `false` | ❌ | ❌ | ❌ |
| Strict | `undefined` | ✅ | ✅ | ✅ |
| Strict | `true` | ❌ | ❌ | ❌ |
| Strict | `false` | ❌ | ❌ | ❌ |
| None | `undefined` | ❌ | ❌ | ✅ |
| None | `true` | ❌ | ❌ | ❌ |
| None | `false` | ❌ | ❌ | ❌ |
### HTTP(Iframe 跨全域)
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ❌ | ❌ | ❌ |
| `undefined` | `true` | ❌ | ❌ | ❌ |
| `undefined` | `false` | ❌ | ❌ | ❌ |
| Lax | `undefined` | ❌ | ❌ | ❌ |
| Lax | `true` | ❌ | ❌ | ❌ |
| Lax | `false` | ❌ | ❌ | ❌ |
| Strict | `undefined` | ❌ | ❌ | ❌ |
| Strict | `true` | ❌ | ❌ | ❌ |
| Strict | `false` | ❌ | ❌ | ❌ |
| None | `undefined` | ❌ | ❌ | ❌ |
| None | `true` | ❌ | ❌ | ❌ |
| None | `false` | ❌ | ❌ | ❌ |
### HTTPS 非 Iframe
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ✅ | ✅ | ✅ |
| `undefined` | `true` | ✅ | ✅ | ✅ |
| `undefined` | `false` | ✅ | ✅ | ✅ |
| Lax | `undefined` | ✅ | ✅ | ✅ |
| Lax | `true` | ✅ | ✅ | ✅ |
| Lax | `false` | ✅ | ✅ | ✅ |
| Strict | `undefined` | ✅ | ✅ | ✅ |
| Strict | `true` | ✅ | ✅ | ✅ |
| Strict | `false` | ✅ | ✅ | ✅ |
| None | `undefined` | ❌ | ❌ | ✅ |
| None | `true` | ✅ | ✅ | ✅ |
| None | `false` | ✅ | ✅ | ✅ |
### HTTPS 在 Iframe 下(不跨域)
`a.com` 页面通过 Iframe 内嵌 `a.com` 页面,在内层 `a.com` 页面上进行测试。
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ✅ | ✅ | ✅ |
| `undefined` | `true` | ✅ | ✅ | ✅ |
| `undefined` | `false` | ✅ | ✅ | ✅ |
| Lax | `undefined` | ✅ | ✅ | ✅ |
| Lax | `true` | ✅ | ✅ | ✅ |
| Lax | `false` | ✅ | ✅ | ✅ |
| Strict | `undefined` | ✅ | ✅ | ✅ |
| Strict | `true` | ✅ | ✅ | ✅ |
| Strict | `false` | ✅ | ✅ | ✅ |
| None | `undefined` | ❌ | ❌ | ✅ |
| None | `true` | ✅ | ✅ | ✅ |
| None | `false` | ✅ | ✅ | ✅ |
### HTTPS 在 Iframe 下(跨子域)
`xx.a.com` 页面通过 Iframe 内嵌 `yy.a.com` 页面,在 `yy.a.com` 页面上进行测试。
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ✅ | ❌ | ✅ |
| `undefined` | `true` | ✅ | ❌ | ✅ |
| `undefined` | `false` | ✅ | ❌ | ✅ |
| Lax | `undefined` | ❌ | ❌ | ✅ |
| Lax | `true` | ❌ | ❌ | ✅ |
| Lax | `false` | ❌ | ❌ | ✅ |
| Strict | `undefined` | ❌ | ❌ | ✅ |
| Strict | `true` | ❌ | ❌ | ✅ |
| Strict | `false` | ❌ | ❌ | ✅ |
| None | `undefined` | ❌ | ❌ | ✅ |
| None | `true` | ✅ | ✅ | ✅ |
| None | `false` | ✅ | ✅ | ✅ |
### HTTPS 在 Iframe 下(跨全域)
`a.com` 页面通过 Iframe 内嵌 `b.com` 页面,在 `b.com` 页面上进行测试。
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ✅ | ❌ | ❌ |
| `undefined` | `true` | ✅ | ❌ | ❌ |
| `undefined` | `false` | ✅ | ❌ | ❌ |
| Lax | `undefined` | ❌ | ❌ | ❌ |
| Lax | `true` | ❌ | ❌ | ❌ |
| Lax | `false` | ❌ | ❌ | ❌ |
| Strict | `undefined` | ❌ | ❌ | ❌ |
| Strict | `true` | ❌ | ❌ | ❌ |
| Strict | `false` | ❌ | ❌ | ❌ |
| None | `undefined` | ❌ | ❌ | ❌ |
| None | `true` | ✅ | ✅ | ❌ |
| None | `false` | ✅ | ✅ | ❌ |
## 总结
HTTP 下,非 Iframe、Iframe 不跨域、Iframe 跨子域(跨全域都不行)成功的测试用例:
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| `undefined` | `undefined` | ✅ | ✅ | ✅ |
| Lax | `undefined` | ✅ | ✅ | ✅ |
| Strict | `undefined` | ✅ | ✅ | ✅ |
HTTPS 下,非 Iframe、Iframe 不跨域、Iframe 跨子域、Iframe 跨全域(Safari 都不行)成功的测试用例:
| SameSite | Secure | Firefox | Chrome | Safari |
|--------------|-------------|---------|--------|--------|
| None | `true` | ✅ | ✅ | ✅ |
| None | `false` | ✅ | ✅ | ✅ |
默认逻辑:
1. 若 HTTP,则 `SameSite` 和 `secure` 不设置
2. 若 HTTPS,则 `sameSite=None; secure=true`(前提是使用者不设置 `sameSite` 和 `secure`)
[research-1]: ./docs/research-on-https-and-iframe.md
build/es/index.js
build/es/types/index.js
build/es/util/delete-cookie.js
build/es/util/get-all-cookies.js
build/es/util/get-cookie.js
build/es/util/get-domain.js
build/es/util/get-expire-date.js
build/es/util/set-cookie.js
LICENSE
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc