mirror of
https://github.com/nais/wonderwall.git
synced 2026-05-08 01:17:21 +00:00
879319cd2a
A login cookie is set as part of the redirection flow between the RP and OP, and thus inherently involves cross-site requests. Our client uses the response_mode=query parameter for authorization requests, which should work with the SameSite attribute set to Lax. However, there are certain versions of user agents on certain operating systems (e.g. Safari 12.2 on iOS<12.2, MacOS<10.14.4, Android WebView<72) that do not properly handle cookies with the SameSite attribute set. This commit attempts to alleviate this issue for legacy browsers by introducing a fallback cookie without the SameSite attribute set. Additionally, we also set the SameSite value for the original login cookie to None to ensure that the cookie persists through the cross-origin redirection requests.