Security: Cannot set sameSite=None in cookie settings

Google recently changed their cookie policies (Chrome's Changes Could Break Your App: Prepare for SameSite Cookie Updates | Heroku). Basically all cookies which come from another top level domain must have the attribute “secure: true” (which is the case), plus “sameSite=None”.
Now, in the Discourse Security settings you can change the cookie policy:

“same site cookies” with the options: “Lax”, “Strict”, “Disabled”.

The first two will be directly forwarded as values of the “SameSite” parameter in the cookie. “Disabled” does not set a value at all.

Now the problem is, that we need to pass a value “None” into the cookie. Only with “None” the cookie will be transferred to the other (non-same toplevel-domain) site.

However, there’s no value “None” which I can select in discourse - but we desperately need it to make our discourse forum API work.

It should be no big hassle to implement an additional value “None” in the same_site cookie.
Can someone please have a look?

Thanks in advance!

1 Like

PR totally welcome here to add that extra setting, it should be a tiny tiny change.

1 Like

No problem. Implementation (which is basically adding one word) is ready. I just signed your Contributor Agreement. Can you please make me contributor? My github name is also dave0688. Then I’ll create a PR which I would ask you (or someone else) to review please.

1 Like

Can I please have an answer on that? I’m ready to create the PR, but getting a 403 when pushing my branch…

You will need to fork the repository, push your branch to your fork, and then make a PR from there. Only the Discourse team are ‘contributors’ to the discourse/discourse repository.


No problem, just did that:


Just merged, thanks for the PR @dave0688 :smiley:


This topic was automatically closed after 7 hours. New replies are no longer allowed.