Skip to content

Set samesite lax instead of None if site is not on https #15598

New issue
New issue
Closed
#15604
Closed
Set samesite lax instead of None if site is not on https#15598
#15604
Assignees
tsteur
Labels
EnhancementFor new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
3.13.4
@tsteur

Description

@tsteur
tsteur
opened on Feb 20, 2020

I'm referring to this here: https://github.com/matomo-org/matomo/pull/15561/files#diff-7de787015af7507a7278689396b18f7dR450-R451

Other browsers will follow and require sameSite=None to also have the secure flag. see https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

image

So, if we are on http, and we are about to set None, then we should set Lax instead.

All we need to do likely is changing if ((!ProxyHttp::isHttps()) && $browserFamily === 'Chrome') { to if ((!ProxyHttp::isHttps())) {. We leave the check for safari in there in case the user is no HTTPS.

Metadata

Metadata

Assignees

Labels

EnhancementFor new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions