SameSite note again (SP this time)
Cantor, Scott
cantor.2 at osu.edu
Mon Aug 24 16:52:22 UTC 2020
More interesting fallout...
When 3.1 shipped, I overlooked the fact that the cookieProps setting still defaults to http and not https. The log warns of course, but not to the extent that it's obvious how this impacts the subset of cookies that now default to SameSite=None, such as relay state or POST-preservation.
You have to add "secure" to any cookies with SameSite, so the browser just drops them. I really hadn't connected the dots on it. The fix is simple (just change cookieProps to https) but it is an incompatibility between the defaults that should be fixed, so I'll just have to toggle cookieProps finally for new installs. I think it's past time we assume https.
If you can't do that, the sameSiteFallback for Safari and Android does also work around this since it gets a second cookie set for those cases.
I added something to the release notes but I'll do a bit more later.
-- Scott
More information about the users
mailing list