Closed ProphetLamb closed 11 months ago
Sounds like a good idea. Can you think of some scenario when it can be problematic to have that as default?
I'll add it as an option anyway, so in the worst case, it can be modified.
I am unfamiliar with the behavior of this policy across subdomains.
There could be a scenario where a user expects a certain behavior with an app behind a reverse proxy.
E.g. account.example.com -> localhost:4000/account
and store.example.com -> localhost:4000/store
might not share flash messages, but are served by the same backend at different routes.
It seems like it should work with subdomains, according to this: https://andrewlock.net/understanding-samesite-cookies/
I don't get the warning when testing on the SvelteKit dev server, in what circumstances do you get it?
Using this extension yields the following future deprecation warning:
Would it be advisable to specify
Same-Site: Strict
on the cookie?