Open sylph01 opened 2 years ago
aYukiSekiguchi
commented
2 years ago Thank you for filing a bug!
Since cowlib which Antikythera uses, has :same_site, Antikythera.Http.SetCookie should have it as well. However, cowlib 2.9 or earlier only supports :lax and :strict, so we have to update cowlib to 2.10. It means we have to update cowboy to 2.9.
Could you wait for the cowboy update?
sylph01
commented
2 years ago I have checked with our team that we can figure out a workaround to our project's specific problem, so we can wait for the cowboy update.
Meanwhile, we found out that we need to specify the session's expiration explicitly, so I sent a patch that does this and also addresses the second part of this issue (Add an interface to Antikythera.Plug.Session.load/2). The first part will be addressed after the cowboy update, because it is dependent on cowboy supporting the :none value for same_site key.
Rationale
Antikythera.Http.SetCookielacks the option to set theSameSiteattribute ofSet-Cookieheader, and now it is forced into usingSameSite=Lax. As my team and I came across a need to set theSameSitedirective toSameSite=none(especially in combination withAntikythera.Session), I am raising this issue and proposing the addition of this functionality. This would also help gears that want to enforceSameSite=strict.Proposed changes
same_sitefield toAntikythera.Http.SetCookie:lax,:strict, or:noneAntikythera.Plug.Session.load/2Antikythera.Conn.put_resp_cookie/4can achieve thisAntikythera.Plug.Session.load/2it is not trivial, so I would like advice on how to change this:set_cookiekey, then passing this option tomake_before_send/2(this would add an argument and thus change the signature tomake_before_send/3) so that it can be passed ontoAntikythera.Conn.put_resp_cookie/4(now called with only 3 arguments).Relevant references