You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to some sources, like this one, it seems if "SameSite=None" is specified then "Secure" must also be specified, otherwise the cookie will be blocked:
If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).
if not cookie =~ /;\s*secure/i
cookie << '; Secure'
end
It seems that over HTTP, if you send "SameSite=None; Secure" then everything still works fine. At least for first-party contexts it works fine. And for third-party contexts, well, they must be "Secure" according to the spec, so it never makes sense to send "SameSite=None" without "Secure".
I can send a PR if you want! In the meantime I'm just monkeypatching the middleware on my app.
The text was updated successfully, but these errors were encountered:
Hi! Thank you for this nice little gem 🙏
According to some sources, like this one, it seems if "SameSite=None" is specified then "Secure" must also be specified, otherwise the cookie will be blocked:
So I'm thinking these lines:
rails_same_site_cookie/lib/rails_same_site_cookie/middleware.rb
Lines 25 to 29 in 4750406
could be changed to:
It seems that over HTTP, if you send "SameSite=None; Secure" then everything still works fine. At least for first-party contexts it works fine. And for third-party contexts, well, they must be "Secure" according to the spec, so it never makes sense to send "SameSite=None" without "Secure".
I can send a PR if you want! In the meantime I'm just monkeypatching the middleware on my app.
The text was updated successfully, but these errors were encountered: