From 40c6ab3bad844fc108b31ac0dbce2c4770ad7dbb Mon Sep 17 00:00:00 2001
From: Henning Perl <henning.perl@ory.sh>
Date: Thu, 27 Apr 2023 09:49:46 +0200
Subject: [PATCH] fix: proper SameSite=None in dev mode

---
 driver/config/provider.go      | 3 ++-
 driver/config/provider_test.go | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/driver/config/provider.go b/driver/config/provider.go
index ea029523223..74d4179d7cf 100644
--- a/driver/config/provider.go
+++ b/driver/config/provider.go
@@ -277,7 +277,8 @@ func (p *DefaultProvider) CookieSameSiteMode(ctx context.Context) http.SameSite
 	case "strict":
 		return http.SameSiteStrictMode
 	case "none":
-		if p.IsDevelopmentMode(ctx) {
+		if p.IssuerURL(ctx).Scheme != "https" {
+			// SameSite=None can only be set for HTTPS issuers.
 			return http.SameSiteLaxMode
 		}
 		return http.SameSiteNoneMode
diff --git a/driver/config/provider_test.go b/driver/config/provider_test.go
index 7d69eddbd52..f7f3b4aef89 100644
--- a/driver/config/provider_test.go
+++ b/driver/config/provider_test.go
@@ -206,11 +206,20 @@ func TestProviderCookieSameSiteMode(t *testing.T) {
 	p.MustSet(ctx, KeyCookieSameSiteMode, "none")
 	assert.Equal(t, http.SameSiteNoneMode, p.CookieSameSiteMode(ctx))
 
+	p.MustSet(ctx, KeyCookieSameSiteMode, "lax")
+	assert.Equal(t, http.SameSiteLaxMode, p.CookieSameSiteMode(ctx))
+
+	p.MustSet(ctx, KeyCookieSameSiteMode, "strict")
+	assert.Equal(t, http.SameSiteStrictMode, p.CookieSameSiteMode(ctx))
+
 	p = MustNew(context.Background(), l, configx.SkipValidation())
 	p.MustSet(ctx, "dev", true)
 	assert.Equal(t, http.SameSiteLaxMode, p.CookieSameSiteMode(ctx))
 	p.MustSet(ctx, KeyCookieSameSiteMode, "none")
 	assert.Equal(t, http.SameSiteLaxMode, p.CookieSameSiteMode(ctx))
+
+	p.MustSet(ctx, KeyIssuerURL, "https://example.com")
+	assert.Equal(t, http.SameSiteNoneMode, p.CookieSameSiteMode(ctx))
 }
 
 func TestViperProviderValidates(t *testing.T) {