New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change SameSite default to None #8043
Conversation
If this doesn't affect any of our components anyway, then why do the change from "most secure" at all? We'd still be broken. |
The point here is that SameSite has been breaking arbitrary components that aren't aware of it so we're changing to an opt-in model. Our components have already opted in as far as they're able. |
Opt-in to security is generally not the route we take though |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine code wise, I defer to @blowdart if this is something that's safe or good to do
If it was a stable security feature I'd agree, but it's not, Apple keeps breaking it. |
So now I ask the impossible, if it's affecting other components can I get an idea of how widespread this is? |
We have three datapoints:
This change fixes the first two. It doesn't fix the 3rd. |
OK fair, I submit :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks meh to me, but what can I do? :D
@Tratcher please rebase on |
/azp run AspNetCore-helix-test |
Azure Pipelines successfully started running 1 pipeline(s). |
#2675 #4661 Note this changes the basic infrastructure defaults but does not change any given component's behavior as each component already specified their SameSite config.
SameSite defaults:
[WIP] Running tests to make sure I didn't miss any.