Why sameSite=None is not added for toString method

[stefanbeigel]

https://github.com/salesforce/tough-cookie/blob/master/lib/cookie/cookie.ts#L612

As far as I know chrome treats cookies with no SameSite attribute as SameSite=Lax.
So setting SameSite=None is not same as setting no SameSite.

So I wonder why it is not returned by the toString method.

[colincasey]

Good question @stefanbeigel. The SameSite attribute is not part of rfc6265 and instead comes from the active draft rfc6265bis. The SameSite implementation for tough-cookie was added in this commit which references version 2 of httpbis-rfc6265bis:

If the attribute-name case-insensitively matches the string
"SameSite", the user agent MUST process the cookie-av as follows:

1. If cookie-av's attribute-value is not a case-insensitive match
   for "Strict" or "Lax", ignore the "cookie-av".

2. Let "enforcement" be "Lax" if cookie-av's attribute-value is a
   case-insensitive match for "Lax", and "Strict" otherwise.

3. Append an attribute to the cookie-attribute-list with an
   attribute-name of "SameSite" and an attribute-value of
   "enforcement".

But the steps above no longer match up with the latest version of rfc6265bis:

Let enforcement be "Default".

If cookie-av's attribute-value is a case-insensitive match for "None", set enforcement to "None".

If cookie-av's attribute-value is a case-insensitive match for "Strict", set enforcement to "Strict".

If cookie-av's attribute-value is a case-insensitive match for "Lax", set enforcement to "Lax".

Append an attribute to the cookie-attribute-list with an attribute-name of "SameSite" and an attribute-value of enforcement.

The current implementation should be corrected to match the text above.

For our 5.x release, we have been focused on porting over the previous JavaScript implementation so that it matches that behavior as accurately as possible (bugs and all) before working on improvements which is why the TypeScript code, though recently added, matches the earlier draft spec implementation.