VRChat's API will be making a change soon. We'll be adding the SameSite=Lax attribute to our auth cookies. This is part of an effort to improve our CSRF protection.
Browsers for the most part already treat all cookies this way, but a handful don't. We don't expect this to affect many VRChat-related applications, but we wanted to let you know anyhow.
Additionally, we're going to start filtering requests based on the Origin and Referer headers. Leave those headers empty to avoid being impacted by this change.
dtupper
commented
1 year ago
Hello!
VRChat's API will be making a change soon. We'll be adding the
SameSite=Laxattribute to our auth cookies. This is part of an effort to improve our CSRF protection.Browsers for the most part already treat all cookies this way, but a handful don't. We don't expect this to affect many VRChat-related applications, but we wanted to let you know anyhow.
Additionally, we're going to start filtering requests based on the
OriginandRefererheaders. Leave those headers empty to avoid being impacted by this change.Thank you!