Gregory's ServerA few years ago I put a bunch of work into figuring out the SameSite cookie attribute because the documentation for how that actually worked was so thin on the ground https://simonwillison.net/2021/Aug/3/samesite/
|
8 comments
 @simon thanks for this. I was actually wondering, today, whether I’m using SameSite correctly in a PR. https://github.com/zooniverse/front-end-monorepo/pull/6216#discussion_r1737125967  I just read the FAQ for Firefox "Total Cookie Protection" and I am sadly no closer to understanding what impact Total Cookie Protection has on how I should build web applications - I'm particularly interested in understanding how it impacts things like OAuth SSO https://support.mozilla.org/en-US/kb/total-cookie-protection-and-website-breakage-faq @simon OAuth doesn't use third-party cookies so I believe it's all good. The problem is with SSO systems which use third-party cookies to transparently log you in across several domains. @russss aaah gotcha - that’s the thing that caused the Chrome team to implement their weird 2-minute twist https://simonwillison.net/2021/Aug/3/samesite/#chrome-2-minute-twist |
@simon I was literally sweating these details yesterday when Hono, a lightweight JS framework, wouldn't write signed cookies and I though it might be the sameSite.