Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CSRF cookies don't set SameSite Attribute. Will soon be rejected by browsers.
See original GitHub issueInstall from Git, last week.
Developer tools console shows:
Cookie “multisite-ckkclehap000k3i4sxv7zp87b.csrf” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
To Reproduce
Step by step instructions to reproduce the behavior:
- Turn on Developer Console in FF or Chrome, etc.
- Observe warnings.
Expected behavior
SameSite attribute set?
Describe the bug
The SameSite Attribute is missing.
Details
Version of Node.js:
12.20.1
Server Operating System:
Debian Buster
Issue Analytics
- State:
- Created 3 years ago
- Comments:26 (9 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Defaulting to secure would be too, for A2. So probably we just need to document best practices here and possibly put something in apostrophe-boilerplate.
On Wed, Jan 27, 2021 at 10:48 AM Tom Boutell tom@apostrophecms.com wrote:
–
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his
Thx, that is really interesting.