Make all HTTPS cookies set SameSite to none
What does this MR do?
Some users reported being logged out quite frequently, and we suspect a change in Chrome caused this.
Chrome v80, rolled out in March 2020, treats any cookies without the SameSite directive set as though they are SameSite=Lax (https://www.chromestatus.com/feature/5088147346030592). This is a breaking change from the previous default behavior, which was to treat those cookies as SameSite=None.
To fix this, we add a middleware that tags all cookies with the Secure
and SameSite=None
headers. This middleware is needed until we upgrade to
Rack v2.1.0+
(https://github.com/rack/rack/commit/c859bbf7b53cb59df1837612a8c330dfb4147392)
and a version of Rails that has native support
(https://github.com/rails/rails/commit/7ccaa125ba396d418aad1b217b63653d06044680).
Definitions per MDN for SameSite
:
None
The browser will send cookies with both cross-site requests and same-site requests.
Strict
The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the Strict attribute will be included.
Lax
Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.