New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement #16161: SameSite cookie attribute can be configured for JS tracker #16504
Conversation
…ed for JS tracker.
@beger thanks for creating this PR! I was wondering if we could simplify it and set automatically |
@tsteur I think this may not be the right solution for every use case: you still may want to enforce a different SameSite policy even if your connection is secure. But I think it probably would make sense to do it the other way around and set |
@beger that could work. And ideally it was to throw an error and/or log a message if this is called on HTTP ? |
@beger be great if you could look at my last comment and let us know if you're still planning to work on this PR? |
Hello @tsteur, |
Hi @beger, we're currently trying to use the code of your PR as a fix until a release happens and found a Problem: Which leads me to another issue: This check depends on the order of operations of setCookieDomain, setSecureCookie and setCookieSameSite. If you first set the CookieDomain, then the SameSite/Secure attributes, the check fails. If you first set Secure and Samesite, the Check works fine. Maybe the cookie configuration should be moved into a single paq-Setting, along the lines of this, while keeping the old syntax for backwards compatibility: I'd be happy to help implementing this, if possible. |
fyi if you are using one tracker using and init this trackker using To make it fully independent would probably require quite a few more changes as it is already a general problem in Matomo which could therefore also be fixed in a separate PR later. We should document it though at least that eg Adding it to |
Thanks for getting this work started @beger and contributing to this feature, very appreciated 👍 |
With this change you can now set up your JS tracking code like this:
_paq.push(['setCookieSameSite', 'None']);
This will set the SameSite attribute for all cookies set by Matomo to the value used above. The default is still SameSite='Lax' if setCookieSameSite is not used.
Implements the enhancement discussed in #16161.