jvantuyl
commented
2 years ago Filed a similar issue on the main Phoenix Project (phoenixframework/phoenix#4877).
Closed jvantuyl closed 1 year ago
jvantuyl
commented
2 years ago Filed a similar issue on the main Phoenix Project (phoenixframework/phoenix#4877).
mplatts
commented
2 years ago Thanks - didn't know about that and not sure whether to set a default. Let's see what happens on your Phoenix issue
jvantuyl
commented
1 year ago This ended up merged upstream (https://github.com/phoenixframework/phoenix/pull/4677). Did this get pulled into Petal? If it did, can we close this?
mplatts
commented
1 year ago Yep seems to be in there
According to various browser console messages, cookies will very soon need to have the
SameSiteattribute set to deliver cookies across sites. Here is an example of the ones in Chrome (which also includes the solution). I've also seen these in Firefox as well,I'm pretty sure there's really no legitimate reason to forward these across sites anyways, so setting this to "strict" just applies the security policy we should probably have anyways. Best case, more secure. Worst case, at least we're making the console less noisy for devs.
It looks like all we need to do is append
extra: "SameSite=Strict"to the@session_optionshere.