Missing cookie Same-Site attribute

ciscoheat / sveltekit-flash-message

Send temporary data after redirect, usually from endpoints. Works with both SSR and client.

https://www.npmjs.com/package/sveltekit-flash-message

MIT License

246 stars 5 forks source link

Missing cookie Same-Site attribute #15

Closed ProphetLamb closed 11 months ago

ProphetLamb commented 11 months ago

Using this extension yields the following future deprecation warning:

Some cookies are misusing the recommended sameSite attribute Cookie "flash" will be soon rejected because it has the Same-Site attribute set to "none" or an invalid value, without the "secure" attribute. To know more about the "Same-Site" attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Would it be advisable to specify Same-Site: Strict on the cookie?

ciscoheat commented 11 months ago

Sounds like a good idea. Can you think of some scenario when it can be problematic to have that as default?

I'll add it as an option anyway, so in the worst case, it can be modified.

ProphetLamb commented 11 months ago

I am unfamiliar with the behavior of this policy across subdomains. There could be a scenario where a user expects a certain behavior with an app behind a reverse proxy. E.g. account.example.com -> localhost:4000/account and store.example.com -> localhost:4000/store might not share flash messages, but are served by the same backend at different routes.

ciscoheat commented 11 months ago

It seems like it should work with subdomains, according to this: https://andrewlock.net/understanding-samesite-cookies/

I don't get the warning when testing on the SvelteKit dev server, in what circumstances do you get it?