node_modules/tough-cookie/README.md

# Tough Cookie · [![RFC6265][rfc6265-badge]][rfc6265-tracker] [![RFC6265bis][rfc6265bis-badge]][rfc6265bis-tracker] [![npm version][npm-badge]][npm-repo] [![CI on Github Actions: salesforce/tough-cookie][ci-badge]][ci-url] ![PRs Welcome][prs-welcome-badge]

A Node.js implementation of [RFC6265][rfc6265-tracker] for cookie parsing, storage, and retrieval.

## Getting Started

Install Tough Cookie using [`npm`][npm-repo]:

```shell
npm install tough-cookie
```

or [`yarn`][yarn-repo]:

```shell
yarn add tough-cookie
```

## Usage

```typescript
import { Cookie, CookieJar } from 'tough-cookie'

// parse a `Cookie` request header
const reqCookies = 'ID=298zf09hf012fh2; csrf=u32t4o3tb3gg43; _gat=1'.split(';').map(Cookie.parse)
// generate a `Cookie` request header
const cookieHeader = reqCookies.map(cookie => cookie.cookieString()).join(';')

// parse a Set-Cookie response header
const resCookie = Cookie.parse('foo=bar; Domain=example.com; Path=/; Expires=Tue, 21 Oct 2025 00:00:00 GMT')
// generate a Set-Cookie response header
const setCookieHeader = cookie.toString()

// store and retrieve cookies
const cookieJar = new CookieJar() // uses the in-memory store by default
await cookieJar.setCookie(resCookie, 'https://example.com/')
const matchingCookies = await cookieJar.getCookies('https://example.com/')
```

> [!IMPORTANT]
> For more detailed usage information, refer to the [API docs](./api/docs/tough-cookie.md).

## RFC6265bis

Support for [RFC6265bis][rfc6265bis-tracker] is being developed. As these revisions to [RFC6252][rfc6265-tracker] are
still in `Active Internet-Draft` state, the areas of support that follow are subject to change.

### SameSite Cookies

This change makes it possible for servers, and supporting clients, to mitigate certain types of CSRF
attacks by disallowing `SameSite` cookies from being sent cross-origin.

#### Example

```typescript
import { CookieJar } from 'tough-cookie'

const cookieJar = new CookieJar() // uses the in-memory store by default

// storing cookies with various SameSite attributes
await cookieJar.setCookie('strict=authorized; SameSite=strict', 'http://example.com/index.html')
await cookieJar.setCookie('lax=okay; SameSite=lax', 'http://example.com/index.html')
await cookieJar.setCookie('normal=whatever', 'http://example.com/index.html')

// retrieving cookies using a SameSite context
const laxCookies = await cookieJar.getCookies('http://example.com/index.html', {
  // the first cookie (strict=authorized) will not be returned if the context is 'lax'
  // but the other two cookies will be returned
  sameSiteContext: 'lax',
})
```

> [!NOTE]
> It is highly recommended that you read [RFC6265bis - Section 8.8][samesite-implementation] for more details on SameSite cookies, security considerations, and defense in depth.

### Cookie Prefixes

Cookie prefixes are a way to indicate that a given cookie was set with a set of attributes simply by
inspecting the first few characters of the cookie's name.

Two prefixes are defined:

- `"__Secure-"`

  If a cookie's name begins with a case-sensitive match for the string `__Secure-`, then the cookie was set with a "Secure" attribute.

- `"__Host-"`

  If a cookie's name begins with a case-sensitive match for the string `__Host-`, then the cookie was set with a "Secure" attribute, a "Path" attribute with a value of "/", and no "Domain" attribute.

If `prefixSecurity` is enabled for `CookieJar`, then cookies that match the prefixes defined above but do
not obey the attribute restrictions are not added.

You can define this functionality by passing in the `prefixSecurity` option to `CookieJar`. It can be one of 3 values:

1. `silent`: (**default**) Enable cookie prefix checking but silently fail to add the cookie if conditions are not met.
2. `strict`: Enable cookie prefix checking and error out if conditions are not met.
3. `unsafe-disabled`: Disable cookie prefix checking.

> If `ignoreError` is passed in as `true` when setting a cookie then the error is silent regardless of the `prefixSecurity` option (assuming it's enabled).

#### Example

```typescript
import { CookieJar, MemoryCookieStore } from 'tough-cookie'

const cookieJar = new CookieJar(new MemoryCookieStore(), {
  prefixSecurity: 'silent'
})

// this cookie will be silently ignored since the url is insecure (http)
await cookieJar.setCookie(
  '__Secure-SID=12345; Domain=example.com; Secure;',
  'http://example.com',
)

// this cookie will be stored since the url is secure (https)
await cookieJar.setCookie(
  '__Secure-SID=12345; Domain=example.com; Secure;',
  'https://example.com',
)
```

> [!NOTE]
> It is highly recommended that you read [RFC6265bis - Section 4.1.3][cookie-prefixes-implementation] for more details on Cookie Prefixes.

## Node.js Version Support

We follow the [Node.js release schedule](https://github.com/nodejs/Release#release-schedule) and support
all versions that are in Active LTS or Maintenance. We will always do a major release when dropping support
for older versions of node, and we will do so in consultation with our community.

[npm-badge]: https://img.shields.io/npm/v/tough-cookie.svg?style=flat
[npm-repo]: https://www.npmjs.com/package/tough-cookie
[ci-badge]: https://github.com/salesforce/tough-cookie/actions/workflows/integration.yaml/badge.svg
[ci-url]: https://github.com/salesforce/tough-cookie/actions/workflows/integration.yaml
[rfc6265-badge]: https://img.shields.io/badge/RFC-6265-flat?labelColor=000000&color=666666
[rfc6265-tracker]: https://datatracker.ietf.org/doc/rfc6265/
[rfc6265bis-badge]: https://img.shields.io/badge/RFC-6265bis-flat?labelColor=000000&color=666666
[rfc6265bis-tracker]: https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/
[samesite-implementation]: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-02#section-8.8
[cookie-prefixes-implementation]: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-02#section-4.1.3
[prs-welcome-badge]: https://img.shields.io/badge/PRs-welcome-brightgreen.svg
[yarn-repo]: https://yarnpkg.com/package?name=tough-cookie