Gregory's Server@jyasskin sadly that doesn’t cover the deeper issue of what happens if you send set-cookie without a SameSite attribute at all - or weird undocumented edge-cases like what changes if a Safari user turns on “Prevent Cross-Site Tracking”
|
Top-level
 @jyasskin sadly that doesn’t cover the deeper issue of what happens if you send set-cookie without a SameSite attribute at all - or weird undocumented edge-cases like what changes if a Safari user turns on “Prevent Cross-Site Tracking” 1 comment
|
@simon My understanding of "Defaults to Lax" is that it's a description of what happens "if you send set-cookie without a SameSite attribute at all", but I admit that I don't know what the maintainers are actually testing when they update this entry, and I can't find any documentation that says explicitly.
+1 that user settings are much less evenly covered, although there's a field for it in the data format that's used for the Firefox setting: https://github.com/mdn/browser-compat-data/blob/e5b7e304e872e6fd4dd77c02b4f8915aabca48ea/http/headers/Set-Cookie.json#L258-L262.
@simon My understanding of "Defaults to Lax" is that it's a description of what happens "if you send set-cookie without a SameSite attribute at all", but I admit that I don't know what the maintainers are actually testing when they update this entry, and I can't find any documentation that says explicitly.