SameSite=None is not compatible with older browsers
We set SameSite=None
in GitLab 12.10 via !28205 (merged) because Chrome v80, rolled out in March 2020, treats any cookies without the SameSite
directive set as though they are SameSite=Lax
(https://www.chromestatus.com/feature/5088147346030592). This is a breaking change from the previous default behavior, which was to treat those cookies as SameSite=None
.
However, older browsers (e.g. Safari 13.0.3) may interpret the None
as Strict
, which causes users that click on gitlab.com links from third-party sites (e.g. Gmail, Slack) to log in again.
https://www.chromium.org/updates/same-site/incompatible-clients recommends a set of regular expressions to determine whether to send this. We should consider adding this logic in lib/gitlab/middleware/same_site_cookies.rb
, possibly using the browser
gem.