Skip to content

cookies: SameSite=None for HTTPS, SameSite=Lax for HTTP

Warren Gifford requested to merge same-site into master

Created by: ggilmore

Fixes https://github.com/sourcegraph/sourcegraph/issues/6167

scheme SameSite value
http SameSite=Lax
https SameSite=None

After this PR is merged, the browser extension will no longer be able to connect to plain HTTP instances. They must configure HTTPS.

Notes:

  • Firefox seemed to have no behavior change when I set the about:config setting as defined in https://web.dev/samesite-cookies-explained/#samesitenone-must-be-secure... is this properly implemented yet?

  • Still need to test what happens when you toggle http/https in the site configuration. Do users need to logout and log back in? Manually clear cookies?

  • I had to make a slightly larger than expected change to the redis session logic - both the SameSite and Secure fields needed to change. Is it same to update the SameSite option alongside Secure everytime sessionstore.Get() is called?

  • Is there a guide anywhere to add unit tests for this kind of thing?

Merge request reports

Loading