You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create a new rails app using main or on/after d29e755
Add a model, change default route to its index
Start server, open in Firefox (I'm using 103.0)
Expected behavior
No console errors
Actual behavior
The good old:
Cookie “_fuck_session” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Rolling back to the previous commit, 646bff6, the console error is not logged.
Etc.
Setting config.action_dispatch.cookies_same_site_protection in application.rb has no effect on this.
I don't know if the changelog for d29e755 is supposed to be suggesting a workaround, but where exactly it would be set for ordinary session cookies is unclear to me. Regardless, out of the box, the error is present.
Oh, yeah, and there aren't any errors in Chrome (hence the title).
Thanks in advance :)
The text was updated successfully, but these errors were encountered:
Follow-up to rails#45501.
The Rack base class that `CookieStore` inherits from [always sets
`:same_site`][1]. Thus, `options.key?(:same_site)` always returns true
for session cookies, preventing a default value from being set.
It would be possible to change Rack to conditionally set `:same_site`,
but, from Rack's perspective, it has no reason to not set `:same_site`,
because it treats a `nil` value the same as no value.
Therefore, this commit specifies a default `:same_site` in `CookieStore`,
which simply defers to `request.cookies_same_site_protection` as
`CookieJar` does.
Fixesrails#45681.
[1]: https://github.com/rack/rack/blob/2.2.4/lib/rack/session/abstract/id.rb#L398-L402
Just a heads up; this issue is fixed when using ActionDispatch::Session::Cookiestore by #45688, but it's not fixed for ActionDispatch::Session::CacheStore⚠️
When using config.session_store :cache_store, SameSite defaults to nil on the resulting session cookie and Firefox throws the warning mention in the original bug description above. This is a security regression that's present in 7.1 (including 7.1.3.2) but not in 7.0.
Steps to reproduce
Expected behavior
No console errors
Actual behavior
The good old:
Cookie “_fuck_session” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
System configuration
Rails version: rails/main (currently at b8964e5)
Ruby version: 3.1.2p20
Fix
Rolling back to the previous commit, 646bff6, the console error is not logged.
Etc.
Setting config.action_dispatch.cookies_same_site_protection in application.rb has no effect on this.
I don't know if the changelog for d29e755 is supposed to be suggesting a workaround, but where exactly it would be set for ordinary session cookies is unclear to me. Regardless, out of the box, the error is present.
Oh, yeah, and there aren't any errors in Chrome (hence the title).
Thanks in advance :)
The text was updated successfully, but these errors were encountered: