Google recently changed their cookie policies (Chrome's Changes Could Break Your App: Prepare for SameSite Cookie Updates | Heroku). Basically all cookies which come from another top level domain must have the attribute “secure: true” (which is the case), plus “sameSite=None”.
Now, in the Discourse Security settings you can change the cookie policy:
“same site cookies” with the options: “Lax”, “Strict”, “Disabled”.
The first two will be directly forwarded as values of the “SameSite” parameter in the cookie. “Disabled” does not set a value at all.
Now the problem is, that we need to pass a value “None” into the cookie. Only with “None” the cookie will be transferred to the other (non-same toplevel-domain) site.
However, there’s no value “None” which I can select in discourse - but we desperately need it to make our discourse forum API work.
It should be no big hassle to implement an additional value “None” in the same_site cookie.
Can someone please have a look?
No problem. Implementation (which is basically adding one word) is ready. I just signed your Contributor Agreement. Can you please make me contributor? My github name is also dave0688. Then I’ll create a PR which I would ask you (or someone else) to review please.
You will need to fork the repository, push your branch to your fork, and then make a PR from there. Only the Discourse team are ‘contributors’ to the discourse/discourse repository.
