Description:
The current OriginMiddleware determines the request origin and sets a secure cookie in the browser. While this works correctly for Chromium-based browsers and Firefox, it fails in Safari. This is because Safari does not treat http://localhost as a secure context, and subsequently refuses to set cookies marked as Secure.
Consequently, applications relying on this origin cannot function properly during local development on Safari.
Proposed Change:
To support development across all browsers, we should make the cookie attributes configurable at the application level. We propose adding options for:
pathsameSitesecure (allowing it to be set to false for local dev)
We will continue to default httpOnly to true for the time being.
Description:
The current
OriginMiddlewaredetermines the request origin and sets a secure cookie in the browser. While this works correctly for Chromium-based browsers and Firefox, it fails in Safari. This is because Safari does not treathttp://localhostas a secure context, and subsequently refuses to set cookies marked asSecure.Consequently, applications relying on this origin cannot function properly during local development on Safari.
Proposed Change:
To support development across all browsers, we should make the cookie attributes configurable at the application level. We propose adding options for:
pathsameSitesecure(allowing it to be set tofalsefor local dev)We will continue to default
httpOnlytotruefor the time being.