Don't send SameSite=None to incompatible browsers
We set `SameSite=None` in GitLab 12.10 via https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28205 because Chrome v80, rolled out in March 2020, treats any cookies without the `SameSite` directive set as though they are `SameSite=Lax` (https://www.chromestatus.com/feature/5088147346030592). This is a breaking change from the previous default behavior, which was to treat those cookies as `SameSite=None`. However, older browsers (e.g. MacOS 10.14 on Safari 13.0.3) may interpret the `None` as `Strict`, which causes users that click on gitlab.com links from third-party sites (e.g. Gmail, Slack) to log in again. https://www.chromium.org/updates/same-site/incompatible-clients recommends a set of regular expressions to determine whether to send this. This commit implements most of the logic but skips one case since this doesn't seem common: macOS 10.14 with an embedded WebKit browser. This is also what https://rubygems.org/gems/rails_same_site_cookie does. I considered using that gem (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40663), but I didn't like how it added another dependency (`user_agent_parser`) that loads a large YAML database (https://github.com/ua-parser/uap-ruby#the-pattern-database).
Showing
Please register or sign in to comment