same-site-cookie.js

const http = require('http');
const url = require('url');
const querystring = require('querystring');

const topPageHtml = `
<html>
<head><link rel="prerender" href="/confirm?prerender"></head>
<body>
<h2>Cookie を付与するドメイン</h2>
<h3>確認ページへの遷移</h3>
<p>
  <a href="/confirm">a タグ</a>
</p>
<p>
  <form action="/confirm" method="get">
    <button type="submit">form による get メソッドでのリクエストする</button>
  </form>
</p>
<p>
  <form action="/confirm" method="post">
    <button type="submit">form による post メソッドでのリクエストする</button>
  </form>
</p>
<p>
  <a href="/iframe">iframe 内の form からリクエストを行う</a>
</p>
<h3>
  <a href="http://sub.localhost:8081">別ドメインのサイト(sub.localhost:8081)に移動</a>
</h3>
<img src="/confirm?img">
<script>
fetch('/confirm?fetch', {credentials: 'include'});
</script>
</body>
</html>
`;

const resTopPage = (req, res) => {
  res.setHeader('Set-Cookie', [
    'strict=value; SameSite=Strict; Max-Age=180',
    'lax=value; SameSite=Lax; Max-Age=180',
    'none=value; SameSite=None; Max-Age=180',
    'invalid=value; SameSite=Foo; Max-Age=180',
    'noSpecify=value; Max-Age=180',
  ]);
  res.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
  res.write(topPageHtml);
  res.end();
};

const getCookieNames = cookie => Object.keys(querystring.parse(cookie, '; ')).join(', ');

const showLog = req => {
  const {query} = url.parse(req.url);
  if (query === null) return;
  console.log(`request by ${query} ${getCookieNames(req.headers.cookie)}`);
};

const resConfirmPage = (req, res) => {
  showLog(req);
  res.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
  res.write(`req.headers.cookie -> <b>${getCookieNames(req.headers.cookie)}</b>`);
  res.write('<br>');
  res.write(`req.method -> <b>${req.method}</b>`);
  res.write('<p>');
  res.write('<a href="/">トップページに移動</a>');
  res.write('</p>');
  res.write('<p>');
  res.write('<a href="http://sub.localhost:8081">別ドメインのサイト(sub.localhost:8081)に移動</a>');
  res.write('</p>');
  res.end();
};

const iframeGetHtml = `
<body onload="document.forms[0].submit()">
  <form action="http://localhost:8080/confirm" method="get">
    <input type="hidden" name="iframe-get">
  </form>
</body>
`;

const iframePostHtml = `
<body onload="document.forms[0].submit()">
  <form action="http://localhost:8080/confirm?iframe-post" method="post">
  </form>
</body>
`;

const iframePageHtml = `
<p>
  iframe でリクエストを送りました。
</p>
<p>
  <a href="http://localhost:8080">http://localhost:8080 のトップページに移動</a>
</p>
<iframe width="0" height="0" style="visibility: hidden;" src="/iframe-get"></iframe>
<iframe width="0" height="0" style="visibility: hidden;" src="/iframe-post"></iframe>
`;

const resIframePage = (req, res) => {
  res.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
  res.write(iframePageHtml);
  res.end();
};

const routing = (req, res) => {
  switch(true) {
    case /^\/$/.test(req.url):
      resTopPage(req, res);
      break;
    case /^\/confirm/.test(req.url):
      resConfirmPage(req, res);
      break;
    case /^\/iframe-get$/.test(req.url):
      res.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
      res.write(iframeGetHtml);
      res.end();
      break;
    case /^\/iframe-post$/.test(req.url):
      res.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
      res.write(iframePostHtml);
      res.end();
      break;
    case /^\/iframe$/.test(req.url):
      resIframePage(req, res);
      break;
    default:
      res.writeHead(404);
      res.end();
  };
};

http.createServer((req, res) => {
  routing(req, res);
}).listen(8080);

const anotherDomainTopPageHtml = `
<html>
<head><link rel="prerender" href="http://localhost:8080/confirm?prerender" crossorigin="use-credentials"></head>
<body>
<h2>Cookie を付与したのとは別のドメイン</h2>
<h3>確認ページへの遷移</h3>
<p>
  <a href="http://localhost:8080/confirm">a タグ</a>
</p>
<p>
  <form action="http://localhost:8080/confirm" method="get">
    <button type="submit">form による get メソッドでのリクエストする</button>
  </form>
</p>
<p>
  <form action="http://localhost:8080/confirm" method="post">
    <button type="submit">form による post メソッドでのリクエストする</button>
  </form>
</p>
<p>
  <a href="/iframe">iframe 内の form からリクエストを行う</a>
</p>
<h3>
  <a href="http://localhost:8080">localhost:8080 に移動</a>
</h3>
<img src="http://localhost:8080/confirm?img">
<script>
fetch('http://localhost:8080/confirm?fetch', {credentials: 'include'});
</script>
</body>
</html>
`;

http.createServer((req, res) => {
  switch(true) {
    case /^\/$/.test(req.url):
      res.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
      res.write(anotherDomainTopPageHtml);
      res.end();
      break;
    case /^\/iframe-get$/.test(req.url):
      res.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
      res.write(iframeGetHtml);
      res.end();
      break;
    case /^\/iframe-post$/.test(req.url):
      res.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
      res.write(iframePostHtml);
      res.end();
      break;
    case /^\/iframe$/.test(req.url):
      resIframePage(req, res);
      break;
    default:
      res.writeHead(404);
      res.end();
  };
}).listen(8081);