@beger opened this Pull Request on October 1st 2020 First_time_contributor

With this change you can now set up your JS tracking code like this:

_paq.push(['setCookieSameSite', 'None']);

This will set the SameSite attribute for all cookies set by Matomo to the value used above. The default is still SameSite='Lax' if setCookieSameSite is not used.

Implements the enhancement discussed in https://github.com/matomo-org/matomo/issues/16161.

@tsteur commented on October 1st 2020 Member

@beger thanks for creating this PR! I was wondering if we could simplify it and set automatically SameSite=None when isSecure is set? I'm suggesting this because None only works when also Secure is set see eg https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite AFAIK

@beger commented on October 1st 2020

@tsteur I think this may not be the right solution for every use case: you still may want to enforce a different SameSite policy even if your connection is secure. But I think it probably would make sense to do it the other way around and set isSecure to true automatically if SameSite is set to None. What do you think?

@tsteur commented on October 1st 2020 Member

@beger that could work. And ideally it was to throw an error and/or log a message if this is called on HTTP ?

Powered by GitHub Issue Mirror