[ ] Repec's Set-Cookie response header includes "SameSite=Strict"
Rationale
This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of https://github.com/pulibrary/dacs_handbook/issues/154
If a user logs into Repec, navigates to a non-Princeton Web site (e.g. Outlook), and then clicks a link from that Web site back to Repec, they will need to log in to Repec again.
Success criteria
Rationale
This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of https://github.com/pulibrary/dacs_handbook/issues/154
Example PR
https://github.com/pulibrary/orangelight/pull/3932
Tradeoff
If a user logs into Repec, navigates to a non-Princeton Web site (e.g. Outlook), and then clicks a link from that Web site back to Repec, they will need to log in to Repec again.
Further reading
I found this from Mozilla, this from Portswigger, and this blog post from Andrew Lock to be helpful in understanding this topic.