cookies: SameSite=None for HTTPS, SameSite=Lax for HTTP (!8996) · Merge requests · Administrator / sourcegraph

Administrator requested to merge same-site into master Mar 12, 2020

Created by: ggilmore

scheme	`SameSite` value
`http`	`SameSite=Lax`
`https`	`SameSite=None`

After this PR is merged, the browser extension will no longer be able to connect to plain HTTP instances. They must configure HTTPS.

Notes:

Firefox seemed to have no behavior change when I set the about:config setting as defined in https://web.dev/samesite-cookies-explained/#samesitenone-must-be-secure... is this properly implemented yet?
Still need to test what happens when you toggle http/https in the site configuration. Do users need to logout and log back in? Manually clear cookies?
I had to make a slightly larger than expected change to the redis session logic - both the SameSite and Secure fields needed to change. Is it same to update the SameSite option alongside Secure everytime sessionstore.Get() is called?
Is there a guide anywhere to add unit tests for this kind of thing?

cookies: SameSite=None for HTTPS, SameSite=Lax for HTTP