You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Lockers's Set-Cookie response header includes "SameSite=Strict"
Rationale
This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of pulibrary/dacs_handbook#154
If a user logs into Lockers, navigates to a non-Princeton Web site (e.g. Gmail), and then clicks a link from that Web site back to Lockers, they will need to log in to Lockers again.
Success criteria
Rationale
This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of pulibrary/dacs_handbook#154
Example PR
pulibrary/orangelight#3932
Tradeoff
If a user logs into Lockers, navigates to a non-Princeton Web site (e.g. Gmail), and then clicks a link from that Web site back to Lockers, they will need to log in to Lockers again.
Further reading
I found this from Mozilla, this from Portswigger, and this blog post from Andrew Lock to be helpful in understanding this topic.
The text was updated successfully, but these errors were encountered: