Closed martinlindhe closed 5 months ago
This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.
@martinlindhe The http.SameSiteDefaultMode
would still result in cookie being dropped because default mode will not add SameSite.
I am leaning towards defaulting SameSite
to http.SameSiteLaxMode
inside cookie store initializer (NewCookieStore
). Along with this it should be clearly documented through an example that this option is configurable.
References for my above opinions:
Expired draft: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-3.1 Currenty active: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.1
The SameSite patch in #165 and #170 forgot to initialize SameSite to a value in the default path.
I think the intent was to initialize it to http.SameSiteDefaultMode.
Currently this results in the following error in Firefox Developer Tools