- What browsers show this problem?
- Please share an example project (if possible).
Any: attempt to sign in to Snap Cloud from non-berkeley.edu-hosted versions of Snap!
- Describes the steps to reproduce this issue.
Open snap from amazingrobots.net/snap or other non-berkeley.edu-hosted versions of Snap! Watch Developer tools.
- What does Snap! currently do?
Not allow sign-in to Snap! Cloud
A cookie associated with a cross-site resource at http://snap.berkeley.edu/ was set without theSameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=None
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
- What should Snap! do instead?
Allow sign-in to Snap! Cloud
More info: https://web.dev/samesite-cookies-explained/
Thanks. I am aware and have been looking at this. We will do our best to fix this but it’s not easy given the safari bugs. We don’t have much development cycles right now.
Super! Thank you!
Did You consider duplicating session cookie with different name and "SameSite=None;Secure" attributes? I hope that simple modification to Lapis source code will be sufficient (I have no live Lapis environment so it's only speculation).
get_session = function(r, secret) ... local cookie = r.cookies[config.session_name] if not (cookie) then cookie = r.cookies[config.session_name .. "_samesite"] end
write_session = function(r) ... r.cookies[config.session_name] = mt.encode_session(s) r.cookies[config.session_name .. "_samesite"] = mt.encode_session(s) .. ";SameSite=None;Secure"
Thanks!! Another app I develop went through the same discussions last week.
We've deployed the
SameSite cookie for all users. This will cause problems on older Safari browsers. Later I will work on the 2nd cookie. Well, I need to decide where 2 cookies or detecting a user agent string is easier to manage. But both options are possible.
The actual fully compatible user agent checks are kind of extensive.... https://github.com/pschinis/rails_same_site_cookie/blob/master/lib/rails_same_site_cookie/user_agent_checker.rb
And yet, messing with Lapis internals has associated maintenance costs.
Anyway, we'll make sure this all works.
Actually, didn't deploy the fix earlier, but I did just now and tested with amazingrobots and turned on all the cookie settings I could in Chrome just to give the most secure test and things are working.
The intention will still be to fix Safari and older browsers soon.
Awesome! (Chrome's my only concern... : )
Thank you for your work on Snap! and onthis fix in particular!