Hi! Thank you for this nice little gem 🙏
According to some sources, like this one, it seems if "SameSite=None" is specified then "Secure" must also be specified, otherwise the cookie will be blocked:
If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).
So I'm thinking these lines:
|
next if !ssl && parser.chrome? # https://www.chromestatus.com/feature/5633521622188032 |
|
|
|
if ssl and not cookie =~ /;\s*secure/i |
|
cookie << '; Secure' |
|
end |
could be changed to:
if not cookie =~ /;\s*secure/i
cookie << '; Secure'
end
It seems that over HTTP, if you send "SameSite=None; Secure" then everything still works fine. At least for first-party contexts it works fine. And for third-party contexts, well, they must be "Secure" according to the spec, so it never makes sense to send "SameSite=None" without "Secure".
I can send a PR if you want! In the meantime I'm just monkeypatching the middleware on my app.
Hi! Thank you for this nice little gem 🙏
According to some sources, like this one, it seems if "SameSite=None" is specified then "Secure" must also be specified, otherwise the cookie will be blocked:
So I'm thinking these lines:
rails_same_site_cookie/lib/rails_same_site_cookie/middleware.rb
Lines 25 to 29 in 4750406
could be changed to:
It seems that over HTTP, if you send "SameSite=None; Secure" then everything still works fine. At least for first-party contexts it works fine. And for third-party contexts, well, they must be "Secure" according to the spec, so it never makes sense to send "SameSite=None" without "Secure".
I can send a PR if you want! In the meantime I'm just monkeypatching the middleware on my app.