Diamond

> The jwt is stored in a cookie, so I believe it will be sent automatically with any request to the Lemmy domain (even if triggered by another site). The...

Quick heads up: Beehaw currently uses 0.17.4, and checking its `jwt` cookie reveals that its `SameSite` is actually `None`, which is super bad!  In order for this PR to...

It also might be best to leave the `Access-Control-Allow-Credentials` header out entirely. After all, third-party clients can just include the token in the request body within the `$.auth` JSON field,...

This [isomorphic-cookie](https://github.com/bsidelinger912/isomorphic-cookie) library seems very outdated. It doesn't allow adding a `sameSite` attribute...

@Nutomic If `lemmy-ui` is using JS to store the JWT as a cookie, why is it not storing it in the local storage instead?

I can't figure out `IsomorphicCookie`. My `import "cookie"` isn't being used properly for some reason. I think I'll just try to pick up this PR without figuring out the UI...

I've made PR https://github.com/LemmyNet/lemmy/pull/3421 that replaces this PR.

> This PR would break the existing ability to set a specific hostname, which breaks my use-case of only allowing my site access (I do not federate). Would doing this...

> @diamondburned Try the code in #3408, but defaulting the localhost string to *, and using this PR's code if *, or using the code currently in lemmy if anything...

> @auouymous Yes, I'm aware, it doesn't matter, I don't want to allow other clients at this time. That'll work for blocking off *web* clients. You'll have a hard time...