use SameSite=Lax instead of SameSite=Strict

To improve reliability of live streams (#59) on Safari. Safari was dropping the cookie from websocket update requests. (But it worked sometimes. I don't get why.) I saw folks on the Internet thinking this related to HttpOnly: * https://developer.apple.com/forums/thread/104488 * https://stackoverflow.com/q/47742807/23584 but I still see this behavior without HttpOnly. SameSite=Strict vs SameSite=Lax appears to make a difference. Try that instead. SameSite=Strict is pointless for us anyway as noted in a new comment. Turning off HttpOnly would be more unfortunate security-wise.
2025-12-04 23:02:32 -05:00 · 2021-03-31 10:44:08 -07:00
parent 2fe961f382
commit 560fe804d6
4 changed files with 64 additions and 31 deletions
--- a/design/api.md
+++ b/design/api.md
@@ -26,7 +26,7 @@ The request should have an `application/json` body containing a dict with
 `username` and `password` keys.

 On successful authentication, the server will return an HTTP 204 (no content)
-with a `Set-Cookie` header for the `s` cookie, which is an opaque, HttpOnly
+with a `Set-Cookie` header for the `s` cookie, which is an opaque, `HttpOnly`
 (unavailable to Javascript) session identifier.

 If authentication or authorization fails, the server will return a HTTP 403