fix: same site legacy workaround on iOS 12 (#1908)

Enables legacy compatibility on iOS version < 13 and macOS version < 10.15 #1810 incorrectly implements https://web.dev/samesite-cookie-recipes/#handling-incompatible-clients Notice Set-cookie: 3pcookie-legacy=value; Secure the cookie does not have the SameSite attribute present. The http.SameSiteDefaultMode used in hydra implementation results in attribute without the value, see https://github.com/golang/go/blob/release-branch.go1.14/src/net/http/cookie.go#L221 That triggers the problems with the older iOS and macOS versions, as Apple did not follow the https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1 see https://trac.webkit.org/browser/webkit/trunk/Source/WebInspectorUI/UserInterface/Models/Cookie.js?rev=239226#L118 Closes: #1907
ory · Jun 16, 2020 · 128ad98 · 128ad98
1 parent 34c644d
commit 128ad98
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/consent/helper.go b/consent/helper.go
@@ -73,7 +73,7 @@ func createCsrfSession(w http.ResponseWriter, r *http.Request, store sessions.St
 		return errors.WithStack(err)
 	}
 	if sameSiteMode == http.SameSiteNoneMode && sameSiteLegacyWorkaround {
-		return createCsrfSession(w, r, store, legacyCsrfSessionName(name), csrf, secure, http.SameSiteDefaultMode, false)
+		return createCsrfSession(w, r, store, legacyCsrfSessionName(name), csrf, secure, 0, false)
 	}
 	return nil
 }

diff --git a/consent/helper_test.go b/consent/helper_test.go
@@ -322,7 +322,7 @@ func TestCreateCsrfSession(t *testing.T) {
 				"csrf_none_fallback_legacy": {
 					httpOnly: true,
 					secure:   true,
-					sameSite: http.SameSiteDefaultMode,
+					sameSite: 0,
 				},
 			},
 		},