Fixed private mode cookie for local development #17938
Conversation
"Make this site private" - not working in Chrome and Opera Closes TryGhost#17514
| @@ -55,7 +55,8 @@ const privateBlogging = { | |||
| name: 'ghost-private', | |||
| maxAge: constants.ONE_MONTH_MS, | |||
| signed: false, | |||
| sameSite: 'none' | |||
| sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax', | |||
| secure: urlUtils.isSSL(config.get('url')) | |||
There was a problem hiding this comment.
Ghost is intended to work locally, over http, as well in production, over https.
Before, the sameSite attribute for the cookie was always set to none.
Here's what the MDN docs have to say about the sameSite attribute:
None specifies that cookies are sent on both originating and cross-site requests, but only in secure contexts (i.e., if SameSite=None then the Secure attribute must also be set).
But for the local-development case in the bug report, the secure flag wasn't being set and can't be set.
Here, the proposed solution it continue to sameSite: none just as before in the https/production case, but resolves the issue by setting sameSite: lax for the local case.
As @joe-blocher points out, Ghost is already using the exact same solution in core/server/services/auth/session/express-session.js for a similar case.
This change LGTM. I recommend merging.
daniellockyer
changed the title
This reverts commit f303eee.
|
Not fixed in version 5.82.2! |
"Make this site private" - not working in Chrome and Opera
Closes #17514
🤖 Generated by Copilot at acad566
Fix private blogging cookie issue with Chrome 80+. Update
sameSiteandsecureoptions for the cookie inmiddleware.jsbased on SSL configuration.