Cookie not set with SameSite attribute
james-martin-jd opened this issue · 3 comments
This issue is visible for all users on https://generator.inrupt.com. Once logged in, a console warning is generated, which reads:
A cookie associated with a cross-site resource at https://inrupt.net/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
The only cookie on the generator.inrupt.com site is for inrupt.net, which is triggering the warning.
The links in the warning (https://www.chromestatus.com/feature/5088147346030592 etc) both go into more details on the issue as well, including linking to a timeline.
I think this might be an NSS issue because cookies are set by the server.
This issue also appears using solid.community and this Chrome feature is now enabled on Android (breaking all Solid apps using the nssidp.sid cookie), but can be disabled through chrome://flags/#same-site-by-default-cookies.
It appears the change required in NSS is not too difficult but this could also be considered a solid-auth-client issue - if cookie-based authentication fails (e.g. because the client rejects third party cookies for any other reason), ideally it should be possible to fall back to another mechanism?
The NSS issue about rethinking authentication configuration also seems relevant nodeSolidServer/node-solid-server#672
If I understand correctly, this authentication method no longer works on new servers anyway (#173), so issues with SameSite in this library are no longer relevant and this issue can be closed as such?