Firefox rejecting cookies over SameSite attribute? #752
Description
It's been a long time and perhaps I posted this in the wrong place and should have posted here instead:
ocsigen/ocsigenserver#194
Copy pasted:
I have a working ocsigenserver instance version 2.16.0 on Ocaml 4.10.0 and until relatively recently it was working ok. However Firefox (version 88.0.1) is rejecting cookies that are required for eliom sessions (which is a big problem). This issue does not arise with Chrome version 90.0.4430. The Firefox webdeveloper tools reveal this message:
Some cookies are misusing the recommended “SameSite“ attribute Cookie “eliomdatasession||||connect_state” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
I have to admit I am not using https but I don't really need that for my use case, and I'm not sure that's entirely relevant. Examining the cookie in question I can see that it lacks the samesite attribute (it shows no restriction). And that modifying the cookie to "Lax" fixes the problem.
Does anyone know if Ocsigenserver is going to properly set this cookie attribute in a future later version, or does it already? Or how to set the cookies to "Lax" or some other valid value?