after rebasing the branch for #151 last night, i found one of the apps that was using that branch broken this morning.
the breakage was related to that app needing isSameSite to be set to Lax for its particular use case. the app had that configured at the server level, but not as a direct option to the hapi-auth-cookie plugin (because my fork was from before it was available as a direct plugin option).
the change that got pulled forward when i rebased my branch defined a default value of Strict for isSameSite at the plugin level, which is a very logical default (especially since it matches the server-level default). however, it ends up overriding the setting from the server level by being so forceful in setting that default value.
i found this to be unexpected. i would have expected that hapi-auth-cookie would honor the isSameSite value from the server-level config, if provided. in my case, i'm fine to just move this config from server-level to plugin-level since this is the only cookie set by this app. in the more general case, though, this seems like unintended behavior.
is this overriding default value intended behavior?
after rebasing the branch for #151 last night, i found one of the apps that was using that branch broken this morning.
the breakage was related to that app needing
isSameSiteto be set toLaxfor its particular use case. the app had that configured at the server level, but not as a direct option to thehapi-auth-cookieplugin (because my fork was from before it was available as a direct plugin option).the change that got pulled forward when i rebased my branch defined a default value of
StrictforisSameSiteat the plugin level, which is a very logical default (especially since it matches the server-level default). however, it ends up overriding the setting from the server level by being so forceful in setting that default value.i found this to be unexpected. i would have expected that
hapi-auth-cookiewould honor theisSameSitevalue from the server-level config, if provided. in my case, i'm fine to just move this config from server-level to plugin-level since this is the only cookie set by this app. in the more general case, though, this seems like unintended behavior.is this overriding default value intended behavior?