From 1c15259b08c7b51e501d13c5d9ea7707d7285e10 Mon Sep 17 00:00:00 2001
From: Richard Soderberg <rsoderberg@gmail.com>
Date: Mon, 29 Oct 2018 14:19:56 -0700
Subject: [PATCH] correctly flag "Set-Cookie: SameSite;" as flag-invalid

---
 httpobs/scanner/analyzer/headers.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/httpobs/scanner/analyzer/headers.py b/httpobs/scanner/analyzer/headers.py
index a6b84bc1..72a06826 100644
--- a/httpobs/scanner/analyzer/headers.py
+++ b/httpobs/scanner/analyzer/headers.py
@@ -335,7 +335,11 @@ def cookies(reqs: dict, expectation='cookies-secure-with-httponly-sessions') ->
                 if key.lower() == 'httponly' and getattr(cookie, 'httponly') is False:
                     cookie.httponly = True
                 elif key.lower() == 'samesite' and getattr(cookie, 'samesite') is False:
-                    if cookie._rest[key] is True or cookie._rest[key].strip().lower() == 'strict':
+                    if cookie._rest[key] is None:
+                        output['result'] = only_if_worse('cookies-samesite-flag-invalid',
+                                                         output['result'],
+                                                         goodness)
+                    elif cookie._rest[key] is True or cookie._rest[key].strip().lower() == 'strict':
                         cookie.samesite = 'Strict'
                         output['sameSite'] = True
                     elif cookie._rest[key].strip().lower() == 'lax':