Uploaded image for project: 'Commons'
  1. Commons
  2. COMMONS-511

Add support for SameSite=None cookies

    XMLWordPrintable

Details

    Description

      Google will soon be switching Chrome to mark cookies as SameSite=lax by default, which is highly likely to break some customer functionality. They are adding support for a new non-standard SameSite=None option to revert to the old behaviour, so we should add support to that. This will be required forĀ OPENAM-15444.

      Notes:

      • SameSite=None will only be allowed on cookies which are also marked Secure, so if this is set we should automatically set the Secure attribute too. (We may want to check if the request was sent over a secure channel and log a warning if not?)
      • Apple's Safari browser prior to version 13 have a bug where they will treat SameSite=None as if it was SameSite=Strict and Apple have said they are not going to backport the fix. This means we'll need to resort to browser sniffing to avoid sending this flag to earlier versions of Safari, or perhaps only sending it to Chrome).

      Attachments

        Issue Links

          Activity

            People

              neil.madden Neil Madden
              neil.madden Neil Madden
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: