@diosmosis opened this Pull Request on February 13th 2020 Member

Fix couple issues w/ samesite handling in session, make sure session start has correct value, write header where needed, and use None for opt out frame so the session ID is sent when embedding the iframe.

fix https://github.com/matomo-org/matomo/issues/15513

@diosmosis commented on February 14th 2020 Member

great points @sgiehl , I'll them asap.

@tsteur commented on February 14th 2020 Member

Also Firefox and Edge announced to support the SameSite cookies. Won't they restrict SameSite=None without Secure as well? Not sure if the check for Chrome makes sense here at all.

Just fyi they support samesite already for a while. What changes for Chrome is the default when no samesite attribute is specified, then Lax is applied, and when it says None it must be secure. AFAIK Firefox etc that's not the case just yet. We could probably apply same behaviour across browsers already though. Just means opt out might be broken for few more sites on http but might not be too many.

@diosmosis commented on February 17th 2020 Member

Updated to always add SameSite=Lax in JS. Seems to work for chrome, firefox & safari. Didn't use old versions of safari of course, though those have issues w/ None only.

This Pull Request was closed on February 20th 2020
Powered by GitHub Issue Mirror