Open ernstscheithauer opened 2 years ago
As it's just a proposal right now, we can't react, as it may not happen (floc is a great example of this).
Until there's something more concrete and actual dates for implementation we can't plan for it.
We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.
Note that the "nonce" OpenID Connect cookie will also be affected if SameSite=None stops working.
However @ernstscheithauer thinking on it last night we could improve things so you don't have to wait for us to implement new properties.
See https://github.com/dotnet/aspnetcore/issues/39968 as a general proposal
According to https://developer.chrome.com/en/blog/progress-in-the-privacy-sandbox-2021-12/ there are going to be changes in the handling of cookies with SameSite=None.
When using the OpenID Connect authentication the base classes are used that issue and validate a correlation cookie with SameSite=None, so this cookie is affected by the change.
See
https://github.com/dotnet/aspnetcore/blob/b89eba6c3cda331ee98063e3c4a04267ec540315/src/Security/Authentication/OAuth/src/OAuthHandler.cs
https://github.com/dotnet/aspnetcore/blob/b89eba6c3cda331ee98063e3c4a04267ec540315/src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs
Could you please share the plans how to deal with this issue? Is this going to be fixed in aspnetcore?