http: set samesite cookie attribute to value none (!8289) · Merge requests · Administrator / sourcegraph

Administrator requested to merge samesite_cookie_strict into master Feb 05, 2020

Created by: uwedeportivo

When a local instance installs an extension it talks to a remote registry (for example sourcegraph.com). With the change in browser behavior regarding the SameSite cookie attribute (nicely described here: https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/) the session cookies from sourcegraph.com won't be sent to sourcegraph.com by the browser during the extension installation flow on the local instance. This is ok, the extension still installs (it gets the bundle). The only downside is the message in the console (as far as I can tell).

This PR sets the attribute value explicitly instead of relying on default value and behavior. The assumption is that having explicit value will get rid of the message in the console. I haven't been able to confirm that yet, still setting up my test.

We could go with value Strict or Lax (see https://web.dev/samesite-cookies-explained/). Lax is the new default when attribute is not explicitly set (it used to be None before Chrome 80).

http: set samesite cookie attribute to value none

Merge request reports