Closed tiblu closed 3 years ago
Triage 20 - timebox to 8 hrs, investigate. Q: Can we recognise app loaded via widget server-side to send looser policy?
Seems that only ways to recognise if the app is loaded from the widget is to set some kind of a session flag for partner requests or add some parameters to login request. As this question was initially set for only server-side recognition we could also use different paths for authentication request. As browsers now by default set SameSite : Lax
our widgets login doesn't work.
Triage 36. Time has moved on, this is now enforced by browsers. We recognise our widget is not working due to this.
What is the user story?
As a User I would like maximum protection against possible CSRF. While CORS is implemented, SameSite policy provides extra layer of security by avoiding cookies be sent from cross-site context.
What is the requested feature?
Additional information.
Related to: