ring

Eugen 2024-08-16T23:31:53.906279Z

using ring-defaults and got this warning in the browser for the session id : > Cookie “ID” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite if it should be addressed in ring-defaults I can open an issue for this

seancorfield 2024-08-17T00:58:51.674519Z

The wrap-cookies middleware (Ring Core) already supports a :same-site option with values :none, :strict, or :lax that affects all cookies -- and even if that doesn't affect session cookies, there's :cookie-attrs as an option for cookie-based session storage so you can specify :same-site there. It's not clear to me what default Ring should adopt (and it feels like it should do it in the core middleware, rather than the very much optional ring-defaults library)?

👍 1