http.cookie.samesite inconsistency

[mmattel]

WHAT Needs to be Documented?

When looking to several documents like OIDC, Azure and MS-OFFICE-WOPI the http.cookie.samesite shows different values which are not consistent - this may confuse readers. Used values are none and lax.

We should agree on one value and note if possible an alternative one.

WHERE Does This Need To Be Documented (Link)?

• Microsoft Office Online / WOPI Integration (lax)
• OpenID Connect (OIDC) (none)
• Example Setup Using Microsoft Azure (none)

WHY Should This Change Be Made?

Reduce Confusion

(Optional) What Type Of Content Change Is This?

• New Content Addition
• Old Content Deprecation
• Existing Content Simplification
• Bug Fix to Existing Content

(Optional) Which Manual Does This Relate To?

• Admin Manual
• Developer Manual
• User Manual
• Android
• iOS
• Branded Clients
• Desktop Client
• Other

@tbsbdr @DeepDiver1975

[DeepDiver1975]

There is no inconsistency here.

If one only uses wopi - 'lax' is enough
For OpenID 'none' is required

Values for samesite (ordered from highest to lowest strictness): strict, lax, none

[mmattel]

What happens if you use OpenID AND WOPI.
Is it ok to use none and does this no harm to wopi?
There is no mentioning about this and this needs to be clarified
Maybe you know having a good insight, but this is docs where readers have a different background. Can you advise?

[DeepDiver1975]

What happens if you use OpenID AND WOPI.

you need to use the lowest strictness which is 'none'

this is plain logic which everybody should be capable to follow:

• use strict whenever possible
• if necessary relax to 'lax'
• if it needs to be relaxed even further: use 'none'