Add SameSite cookie parameter

[chmike]

The SameSite cookie parameter allows to reduce the risk of CSRF attacks if the remote browser takes it in account.

[chmike]

This change is postponed until the SameSite cookie parameter is official. It is currently only a draft RFC.

[agentabstract]

Giving this a bump. I'm getting console errors in firefox and I actually came to your page to check on this. Love your package I'm using it at work.

[chmike]

Hello and thank you for the feedback on the package. I'll work on it as soon as possible.

[chmike]

The SameSite parameter has been added with the release v1.3.0.

[agentabstract]

Thank you so much. This is actually a big issue right now Chrome 84 is now assuming all cookies are samesite lax, which is sort of the end of third party cookies.

…

On Fri, Aug 14, 2020 at 3:46 AM Christophe Meessen ***@***.***> wrote: The SameSite parameter has been added with the new release v1.3.0. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#11 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGP5RIKPMOHZSCYWUDTH7VLSATTTZANCNFSM4D4M5EKQ> .

[chmike]

If I understood correctly, you need to set SameSite to None to allow third party cookie. But this will only work if the Secure parameter is set to true. The cookie will thus be only returned to https requests.

[agentabstract]

Yeah. For now. By 2022 they’ll do away with none completely. Lax means the cookie can be read by the same root domain as the url in the browser address bar, and strict means it has to be the same domain entirely. I was using third party cookies and JavaScript to do a simple oauth attempt if users were logged in. I’ve reworked my stuff to only use first party cookies now. I don’t want to be fighting with google, Apple, and Mozilla.

…

On Fri, Aug 14, 2020 at 12:32 PM Christophe Meessen < ***@***.***> wrote: If I understood correctly, you need to set SameSite to None to allow third party cookie. But this will only work if the Secure parameter is set to true. The cookie will thus be only returned to https requests. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#11 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGP5RIP6DULELNLBRSUUFO3SAVRK5ANCNFSM4D4M5EKQ> .