fix: sameSite: use "lax" on HTTP #338

aarongranick-okta · 2020-03-02T22:56:40Z

Fixes issue with Chrome 80: https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html

The main effect is that running within an iFrame is now only supported if the app is being hosted on a HTTPS protocol.

OAuth redirect and PKCE cookies will default to SameSite:Lax, unless running on HTTPS protocol, then cookies will use SameSite: None; Secure
HTTP cache will use SameSite: Lax unless running on HTTPS protocol, then cookies will use SameSite: None; Secure
TokenManager (if falling back to using cookie storage) will use SameSite: Lax unless the secure option is set to true, then it will use SameSite: None; Secure

TokenManager is preserving existing opt-in behavior to avoid a breaking change. The scenario is that some customers may have an app running on mixed HTTPS and HTTP and they would like the tokens accessible in both contexts. This behavior is changing in 3.0: secure will be set by default, but there is an option to opt out.

I have tested locally using HTTPS proxy via https://ngrok.com/

fix: sameSite: use "lax" on HTTP

41a6f9c

aarongranick-okta force-pushed the ag-fix-samesite-secure-OKTA-281382 branch from 4cd032c to 41a6f9c Compare March 2, 2020 23:44

swiftone approved these changes Mar 3, 2020

View reviewed changes

aarongranick-okta merged commit ffa047e into master Mar 3, 2020

aarongranick-okta mentioned this pull request Mar 3, 2020

fix: update okta-auth-js for samesite/chrome fix - OKTA-281584 okta/okta-signin-widget#1072

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: sameSite: use "lax" on HTTP #338

fix: sameSite: use "lax" on HTTP #338

aarongranick-okta commented Mar 2, 2020 •

edited

Loading

fix: sameSite: use "lax" on HTTP #338

fix: sameSite: use "lax" on HTTP #338

Conversation

aarongranick-okta commented Mar 2, 2020 • edited Loading

aarongranick-okta commented Mar 2, 2020 •

edited

Loading