Open rowan-m opened 4 years ago
I don't have a lot of bandwidth to add more configuration options at the moment, but hopefully should have some time before Chrome's changes go live in February. Otherwise the code is pretty simple so feel free to submit a pull request.
To add to the configurable behavior, we'd love to see request level configuration. Our app has lots of integrations that are implemented via iFrames (eg Sharepoint, Microsoft Teams, etc). For requests coming from those integrations (which can be validated), we'd like to remove the samesite restriction, but for other requests, we'd like to have the lax or strict setting.
By applying
SameSite=None; Secure
to all cookies you do have the benefit of maintaining their legacy behaviour, however it does mean that you're explicitly marking all cookies for cross-site use. While this may be necessary for API auth related cookies, it's probably not needed for the majority of site cookies. It would be nice to provide configuration that enabled the following:SameSite
attribute value to be appliedSameSite
value should override an existing valueSameSite
attribute to apply when missingSameSite
values from cookiesFor example, this would allow a developer to specify their auth cookie for the
SameSite=None; Secure
attributes, but apply aSameSite=Lax
policy by default to everything else.