Added support for SameSite=None cookie value#1358
Conversation
…rfc6265bis - https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#appendix-A.4 - Indicates that cookie is used as a third party cookie.
|
Any idea when will this be released? |
|
Is there a milestone or semantic version which these changes align to? Also curious as to when these will go live. |
|
Any update on when this will become generally available, given the upcoming changes to Chrome? |
|
I realize that releases of rack are few and far between but must I maintain a fork of rack for the sake of setting |
|
Nope, let's try to get this I the next release. |
|
Just to check, this appears to be merged, so all we need is another release, right? |
@ioquatix that's what it looks like to me, if you were asking my opinion. |
|
Awesome, just wanted to check we weren't missing anything. |
|
For those who searched and found this thread/PR -- To make I have created this gist https://gist.github.com/bnorton/7dee72023787f367c48b3f5c2d71540f based on the rules and guidelines of the Chromium team => https://www.chromium.org/updates/same-site/incompatible-clients |
|
Any update on when we can expect this change to be released? The breaking version of chrome is expected to be promoted to stable in a little over a month. |
|
@outreach-soren See #1387 , looks like they're aiming for a release next week. |
|
Thanks! |
…ack::Session::Cookie middleware Recently, rack added support for SameSite=None cookies: rack#1358 However there is currently no way to set these cookies using the Rack::Session::Cookie middleware without monkeypatching. This pull request allows setting the SameSite value either by direct, literal passthrough to the add_cookie_to_header method, or by passing a callable. The callable option is required because some browsers are incompatible with some values of the header, so it needs to be [different per-browser](https://www.chromium.org/updates/same-site/incompatible-clients). Static usage: ```ruby use Rack::Session::Cookie, secret: 'supersecret', same_site: :none ``` Dynamic usage: ```ruby use Rack::Session::Cookie, secret: 'supersecret', same_site: lambda { |req, res| SameSite.value(req.user_agent) } ```
…ack::Session::Cookie middleware Recently, rack added support for SameSite=None cookies: rack#1358 However there is currently no way to set these cookies using the Rack::Session::Cookie middleware without monkeypatching. This pull request allows setting the SameSite value either by direct, literal passthrough to the add_cookie_to_header method, or by passing a callable. The callable option is required because some browsers are incompatible with some values of the header, so it needs to be [different per-browser](https://www.chromium.org/updates/same-site/incompatible-clients). Static usage: ```ruby use Rack::Session::Cookie, secret: 'supersecret', same_site: :none ``` Dynamic usage: ```ruby use Rack::Session::Cookie, secret: 'supersecret', same_site: lambda { |req, res| SameSite.value(req.user_agent) } ```
…ack::Session::Cookie middleware Recently, rack added support for SameSite=None cookies: #1358 However there is currently no way to set these cookies using the Rack::Session::Cookie middleware without monkeypatching. This pull request allows setting the SameSite value either by direct, literal passthrough to the add_cookie_to_header method, or by passing a callable. The callable option is required because some browsers are incompatible with some values of the header, so it needs to be [different per-browser](https://www.chromium.org/updates/same-site/incompatible-clients). Static usage: ```ruby use Rack::Session::Cookie, secret: 'supersecret', same_site: :none ``` Dynamic usage: ```ruby use Rack::Session::Cookie, secret: 'supersecret', same_site: lambda { |req, res| SameSite.value(req.user_agent) } ```
This value was added in revision 3 of rfc6265bis:
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#appendix-A.4
The value "None" indicates that cookie is used as a third party cookie. Chrome 76, due for release late July, will default to SameSite=Lax unless SameSite is set. The only way to set cookies used as third party cookies will be to set them with SameSite=None:
https://web.dev/samesite-cookies-explained/