Make SameSite cookie attribute optional #3257
Conversation
|
Now that I see the tests this raises a somewhat interesting question -- is the correct default still |
|
We try to avoid breaking clients, so this seems reasonable. Generating Some(SameSite.Lax) would keep the most forward-compatible default, but allowing to opt-out. |
I wondered whether people would not want to implement this. It looks like a good idea, but I'd never heard of it before the original PR.
I don't see that we've left ourselves any wiggle room to fix this in a binary compatible way. We can't introduce a SameSite.Unspecified because it's a sealed trait, and we can't add another parameter to the cookie because it's a case class. The only compatible fix I can imagine is to tolerate and handle nulls, which would be very unhttp4slike.
I think this is a fine approach for master.
|
Thanks @rossabaker, any thoughts on the default behavior? It feels wrong to me to use |
|
I think that's true. Once it becomes optional, we could and should respect its absence as |
|
A thought I'm embarrassed to bring up: if this is rendering is hugely problematic for people in 0.21, we could disable the feature with a system property. Or this version is not too binary incompatible yet, so we could at least offer a milestone in the next series once this is merged. |
|
Updated the default to |
I mentioned this in gitter and figured I'd open a PR with the change. To get the behavior of
SameSite=Nonein all browsers, it's necessary to completely exclude theSameSiteattribute for certain clients that handle it incorrectly. This updates the field to be optional to allow for this.