You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Based on what @flybayer mentioned here blitz-js/legacy-framework#227 (comment) my understanding is that cookies are used for auth (even for anonymous sessions). This works fine when the blitz app is run in the browser as a standalone application, where setting sameSite: "lax" is fine, but when an app is hosted in an iframe (inside a different domain), these cookies are not included in the requests. The alternative suggestion was to set sameSite: "none" but these cookies are treated as third party cookies and browsers are now starting to stop supporting third-party cookies.
Ref https://developer.mozilla.org/en-US/blog/goodbye-third-party-cookies/
Possible implementation(s)
Perhaps use shared storage / local storage / session storage. It kinda depends on what we're relying on the auth cookie for.
The text was updated successfully, but these errors were encountered:
You're not likely to find much success replacing auth cookies with localStorage / sessionStorage.
Not only is it less secure, but browsers will typically hold those mechanisms to the same standard as cookies when they're making changes to protect privacy, so if SameSite=None is in the chopping block for iframes, storage APIs would probably be more restricted in the same update.
Fair point! This was more of a general suggestion, if we do definitely need to verify something.
I am not aware of what blitzjs checks when its an anonymous session, and whether we could make it work without cookies at all.
The legacy version was looking for a cookie and creating a brand new session on every request when the cookie was not found. It looks like the latest version might be doing the same?
What do you want and why?
Based on what @flybayer mentioned here blitz-js/legacy-framework#227 (comment) my understanding is that cookies are used for auth (even for anonymous sessions). This works fine when the blitz app is run in the browser as a standalone application, where setting sameSite: "lax" is fine, but when an app is hosted in an iframe (inside a different domain), these cookies are not included in the requests. The alternative suggestion was to set sameSite: "none" but these cookies are treated as third party cookies and browsers are now starting to stop supporting third-party cookies.
Ref https://developer.mozilla.org/en-US/blog/goodbye-third-party-cookies/
Possible implementation(s)
Perhaps use shared storage / local storage / session storage. It kinda depends on what we're relying on the auth cookie for.
The text was updated successfully, but these errors were encountered: