With this change you can now set up your JS tracking code like this:
This will set the SameSite attribute for all cookies set by Matomo to the value used above. The default is still SameSite='Lax' if setCookieSameSite is not used.
Implements the enhancement discussed in https://github.com/matomo-org/matomo/issues/16161.
@beger thanks for creating this PR! I was wondering if we could simplify it and set automatically
isSecure is set? I'm suggesting this because
None only works when also
Secure is set see eg https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite AFAIK
@tsteur I think this may not be the right solution for every use case: you still may want to enforce a different SameSite policy even if your connection is secure. But I think it probably would make sense to do it the other way around and set
true automatically if
SameSite is set to
None. What do you think?