Users who used newer versions of their browsers experienced issues while working with iframes on a platform I maintained. It happened because, on newer versions of the browsers, cookies without a SameSite attribute are treated as SameSite=Lax instead of SameSite=None. Meaning, the new default behavior is changed towards restricting cookies to a first-party context only.

To make iframes work properly on newer browsers we needed explicitly to allow cookies for cross-site usage. To do so, we needed to set SameSite=None; Secure to cookies. Note that we also set Secure attribute. If we just set SameSite=None without Secure, cookies will be rejected. None requires secure context - HTTPS.

Shortly about SameSite values:

Strict - disables cookies being sent in cross-site GET or POST requests.

Lax - cookies will not be sent by browsers in cross-site POST requests. GET requests would work.

None - allows cookies being sent in cross-site GET or POST requests, but requires Secure attribute in cookies and HTTPS.

Rails 6.1 added support to set a project’s default value of SameSite attribute. See

Starting from Rails 6.1 SameSite is set to Lax explicitly by default. If you need to set another default value of SameSite, you can do it via Rails configuration, like:

Rails.application.configure do
  config.action_dispatch.cookies_same_site_protection = :strict
end

What is also important to know is that Rack 2.0.9 added support for None value. See https://github.com/rack/rack/pull/1358.

Additional resources: