Users who used newer versions of their browsers experienced issues while working with iframes on a platform I maintained.
It happened because, on newer versions of the browsers, cookies without a
SameSite attribute are treated as
SameSite=Lax instead of
Meaning, the new default behavior is changed towards restricting cookies to a first-party context only.
To make iframes work properly on newer browsers we needed explicitly to allow cookies for cross-site usage.
To do so, we needed to set
SameSite=None; Secure to cookies.
Note that we also set
If we just set
Secure, cookies will be rejected.
None requires secure context - HTTPS.
Strict - disables cookies being sent in cross-site GET or POST requests.
Lax - cookies will not be sent by browsers in cross-site POST requests. GET requests would work.
None - allows cookies being sent in cross-site GET or POST requests, but
Secure attribute in cookies and HTTPS.
Rails 6.1 added support to set a project’s default value of
Starting from Rails 6.1
SameSite is set to
Lax explicitly by default. If you need to set another default value of
SameSite, you can do it via Rails configuration, like:
Rails.application.configure do config.action_dispatch.cookies_same_site_protection = :strict end
SameSite=Strict has a big gotcha - when clicking a link in a webmail client any cookies set in response to that request won't get recorded. Had to move some stuff to a separate cookie that I could set to Lax: https://t.co/q4bovYekG4— Andrew White (@pixeltrix) May 18, 2021