That exception is temporary and will go away at some point. The specific situation that covers is for top-level, cross-site POST requests that require cookies. These should be set with SameSite=None; Secure as a permanent fix, not rely on the exception. This was added to account for a number of individual single sign-on implementations using this pattern to receive a CSRF token in their cookie - it is not related to the Safari issue.
The Safari issue is due to their implementation matching a much earlier version of the draft. As a result, if you need the cookie to work in all browsers you can use the double cookie solution proposed in web.dev/samesite-cookie-recipes/#h...
Very timely post :) Just wanted to note some of my findings.
Chrome 80, as it's being updated across our computers, likely does not break your site/app.
Due to the safari bug, they put in an exception
(link: chromestatus.com/feature/508814734...)
However, Safari seems to have been broken for a while now, so a fix should be implemented quickly.
(link: bugs.webkit.org/show_bug.cgi?id=19...)
Their solution uses an Apache regex to solve the problem, but the solution is not up to date with latest Safari.
On a side note, if you've using an SPA and JWTs (no cookies) this is a non-issue.
Hi Daniel, thank you for sharing your findings.
SameSite flag is not being enforced even in Chrome 80 until 17th February, 2020. ( I am not sure about the date ) as a relaxation.
If you want to test, go to
chrome://flags
and enable all three SameSite flags. You will see the errors mentioned in Shopify's tutorial.All we can do, is to be prepared, right? ;)
And yeah, you are right about SPA. π
Let me know your thoughts! Thanks.
That exception is temporary and will go away at some point. The specific situation that covers is for top-level, cross-site POST requests that require cookies. These should be set with
SameSite=None; Secure
as a permanent fix, not rely on the exception. This was added to account for a number of individual single sign-on implementations using this pattern to receive a CSRF token in their cookie - it is not related to the Safari issue.The Safari issue is due to their implementation matching a much earlier version of the draft. As a result, if you need the cookie to work in all browsers you can use the double cookie solution proposed in web.dev/samesite-cookie-recipes/#h...
Thank you Rowan for your input on this issue ππΌ