rails_same_site_cookie icon indicating copy to clipboard operation
rails_same_site_cookie copied to clipboard
verified publisher icon pschinis

Always set "Secure" when sending "SameSite=None"

Open asterite opened this issue 4 years ago • 0 comments

Hi! Thank you for this nice little gem 🙏

According to some sources, like this one, it seems if "SameSite=None" is specified then "Secure" must also be specified, otherwise the cookie will be blocked:

If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).

So I'm thinking these lines:

https://github.com/pschinis/rails_same_site_cookie/blob/4750406b8f2e4cfdeab87f89693aac2b6f6b1517/lib/rails_same_site_cookie/middleware.rb#L25-L29

could be changed to:

            if not cookie =~ /;\s*secure/i
              cookie << '; Secure'
            end

It seems that over HTTP, if you send "SameSite=None; Secure" then everything still works fine. At least for first-party contexts it works fine. And for third-party contexts, well, they must be "Secure" according to the spec, so it never makes sense to send "SameSite=None" without "Secure".

I can send a PR if you want! In the meantime I'm just monkeypatching the middleware on my app.

asterite avatar Feb 08 '22 12:02 asterite