Uploaded image for project: 'Commons'
  1. Commons
  2. COMMONS-511

Add support for SameSite=None cookies

    Details

      Description

      Google will soon be switching Chrome to mark cookies as SameSite=lax by default, which is highly likely to break some customer functionality. They are adding support for a new non-standard SameSite=None option to revert to the old behaviour, so we should add support to that. This will be required forĀ OPENAM-15444.

      Notes:

      • SameSite=None will only be allowed on cookies which are also marked Secure, so if this is set we should automatically set the Secure attribute too. (We may want to check if the request was sent over a secure channel and log a warning if not?)
      • Apple's Safari browser prior to version 13 have a bug where they will treat SameSite=None as if it was SameSite=Strict and Apple have said they are not going to backport the fix. This means we'll need to resort to browser sniffing to avoid sending this flag to earlier versions of Safari, or perhaps only sending it to Chrome).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                neil.madden Neil Madden
                Reporter:
                neil.madden Neil Madden
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: