Set Removal Cookies SameSite to Lax #215
Comments
|
The treatment of cookies without a Do you have any evidence to indicate that browsers do or will do otherwise? |
|
I would agree with you here But here is one from firefox.
Edit: So we either need to set it to Lax or SameSite=None with secure set to true. which seems to be what they are focusing on. |
|
That feels like an issue for web browsers, not one that we should paper over here. The goal of this library is to be foundational and correct, not opinionated. For this reason, we don't arbitrarily set SameSite attributes, or any other attributes, for any cookies in this library, and I don't think we should automatically set them for removal cookies either, but this library liberally and conveniently allows setting them yourself. Should our position on that change, we can revisit this issue then. Until then, I'm closing this out. Note: If you're using a web framework that uses this library, I would advocate that you raise an issue there. Web frameworks can be more opinionated. Rocket sets SameSite attributes automatically, for example. If it's not doing so for removal cookies, that sounds like an opportunity for improvement. |
The issue is Removal cookies don't get a Same Site setting which browsers are starting to Require Or presetting them as Lax. Inserting the Same site as Lax will prevent the Browser from displaying Warning messages and maybe Error messages later based on the action the browser take.
The text was updated successfully, but these errors were encountered: