New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow opting out of the SameSite
cookie attribute when setting a cookie
#45501
Conversation
f5994cd
to
e636b40
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah! Good catch! 👍
end | ||
|
||
def test_setting_cookie_with_specific_same_site_strict | ||
@request.env["action_dispatch.cookies_same_site_protection"] = proc { :lax } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is already set in setup
, so we could possibly omit. I do see an argument for being explicit here, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is better to be explicit since all the tests around it have the same pattern.
5f263c0
to
1379a50
Compare
…okie. Since rails@7ccaa12 it's not been possible to not include `SameSite` on your cookies. `SameSite` is recommended, but it's not a required field, and you should be able to opt out of it. This PR introduces that ability: you can opt out of `SameSite` by passing `same_site: false`. ```ruby cookies[:foo] = { value: "bar", same_site: false } ``` Previously, this incorrectly set the `SameSite` attribute to the value of the `cookies_same_site_protection` setting. rails#44934 added docs saying that you could pass `nil` as a value, but that also would fall back to the default (`:lax`).
Good call @jonathanhefner. The API is much simpler now 😍 |
1379a50
to
d29e755
Compare
Thank you, @ghiculescu! 🙌 |
Rails 7.0 does not support opting out of the `SameSite` attribute by specifying `same_site: nil`. (However, #45501 will add support for this in the next Rails release.)
Follow-up to rails#45501. The Rack base class that `CookieStore` inherits from [always sets `:same_site`][1]. Thus, `options.key?(:same_site)` always returns true for session cookies, preventing a default value from being set. It would be possible to change Rack to conditionally set `:same_site`, but, from Rack's perspective, it has no reason to not set `:same_site`, because it treats a `nil` value the same as no value. Therefore, this commit specifies a default `:same_site` in `CookieStore`, which simply defers to `request.cookies_same_site_protection` as `CookieJar` does. Fixes rails#45681. [1]: https://github.com/rack/rack/blob/2.2.4/lib/rack/session/abstract/id.rb#L398-L402
Glad you were able to draw attention to your PR. I didn't on my own patch long ago :'( #42962. Yours is better anyway. |
Since #37974 it's not been possible to not include
SameSite
on your cookies.SameSite
is recommended, but it's not a required field, and you should be able to opt out of it.This PR introduces that ability: you can opt out of
SameSite
by passingsame_site: nil
.Previously, this incorrectly set the
SameSite
attribute to the value of thecookies_same_site_protection
setting. #44934 added docs saying that you could passnil
as a value, but that also would fall back to the default (:lax
).