Middleware that sets cookies to samesite=none #375
Conversation
|
@darrynten I've got this working middleware that I already use in my production. I just need help figuring out what's the most appropriate way to make it available in this package. Do you have any suggestions? |
|
Do not make the changes I suggested before this edit (or in the linked issue). It would break older browsers. See #382 |
|
Hi @darrynten the additional changes are necessary because of the browser compatibility issues. It's not sufficient to simply change the cookie settings. I've explained this in detail in #367. The challenge is that the browsers that have issues are quite recent (iOS 12 and macOS 10.14) so it's quite critical that the compatibility issues are covered. This code is based on Shopify's changes to their own Rails library as well. |
|
Regarding compatibility issues please read this article. This cookie completely breaks the app on Safari for iOS 12 and macOS 10.14 so it is critical that the cookie stays as the default settings for those browsers. |
|
I'm actively working on this, I will update as soon as possible |
What's your game plan? |
|
@darrynten I also recommend editing your recommendation above on changing the sessions config as doing so will cause the app to unexpectedly break on Safari for macOS 10.14, which I believe is still heavily used. |
|
Please see #382 it resolves the problem cleanly on the Service level instead of on the Middleware level |
|
Closing this PR in favour of #382 |
Attempt to fix #367.
What I'm not sure is the strategy to insert this middleware. Should this be included in the install docs for developers to include into the global middleware list? The consideration is that this only applies for requests that are within an embedded app.
Also, the other part I'm not sure is if you are okay with a new dependency, seeing that this library has been very clean from other dependencies so far.
Based on Shopify's implementation: Shopify/shopify_app#851