https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33259 --- Comment #15 from Alex Buckley <alexbuckley@catalyst.net.nz> --- (In reply to Lucas Gass from comment #10)
Alex,
The QA tool complains about quite a few missing filters within Cookies.set. I think we can add the html filter in those cases, right?
Also, should none be option along with lax and strict?
Hi Lucas, Thanks for your comments. Yes, adding the HTML filters does fix up the QA test tool failures, so I have added that as a followup patch. Currently all Koha cookies have 'samesite' = 'Lax' which is why I made it the default syspref value. However, according to https://web.dev/samesite-cookies-explained/ there are three possible options for the 'samesite' attribute: - Strict - Lax - None - means you intentionally want the cookie sent in a third-party context. So I think yes we should probably add 'none' as a value along with lax and strict. I have amended the first patch 'Add SameSiteSessionCookie system preference' to add the 'none' option. Thanks, Alex -- You are receiving this mail because: You are watching all bug changes.