Amplify-js: CookieStorage should handle the "SameSite" attribute.
Is your feature request related to a problem? Please describe.
Cookies are going to be samesite=lax by default in Chrome 80. aws-amplify should allow users to set the samesite value.
Describe the solution you'd like
The CookieStorage class should handle the samesite attribute. Currently it only handles domain, path, expires, and secure.
Additional context
aws-amplify uses js-cookie. js-cookie already supports the samesite attribute, so aws-amplify should too.
EDIT: This change should take 5 minutes at most. It's simply a matter of adding another property to check for, since you just forward them to js-cookie anyways. I get that this library is drowning in issues and technical debt, but this is a rather simple change that doesn't affect other areas of the code base.
guanzo
All 9 comments
We're in need of this as well. Our use case is that some customers iframe parts of our app into their portals and internal websites. This functionality breaks in the latest stable version of Chrome unless we add the samesite attribute.
I'm willing to open a pull-request for this, following the contribution guidelines, if I can get the go ahead from a repo owner.
ismyrnow
on 19 Mar 2020
We're in need of this as well. Our use case is that some customers iframe parts of our app into their portals and internal websites. This functionality breaks in the latest stable version of Chrome unless we add the
samesiteattribute.I'm willing to open a pull-request for this, following the contribution guidelines, if I can get the go ahead from a repo owner.
I needed this too on a Shopify app, So I used this workaround after calling the signIn method
document.cookie.split(';').forEach((cookie) => {
// delete existing
document.cookie = cookie.split('=')[0] + '=; expires=Thu, 01 Jan 1970 00:00:00 UTC;';
// create new one
document.cookie = cookie + '; path=/; max-age=2592000‬; sameSite=None; secure';
});
meddjelaili
on 2 May 2020
I should add that we went ahead and implemented our own CookieStorage class, copying the existing one and adding samesite support. The solution works well until #5726 gets approved.
Auth.configure({
...
storage: new CookieStorage({
domain: ...,
samesite: 'none',
}),
});
Fixed via #5726
This will be released soon!
ericclemmons
on 11 Aug 2020
Fixed via #5726
This will be released soon!
why only Lax and Strict? None should be a valid value too
meddjelaili
on 28 Aug 2020
@ericclemmons can you please check this; It's critical for a project I'm working on
meddjelaili
on 29 Aug 2020
@meddjelaili Merged and released!
ericclemmons
on 3 Sep 2020
legend
meddjelaili
on 3 Sep 2020
Is this only released for @aws-amplify/auth v3? If so, could you also release it for v2? v3 has major breaking changes, and I can't upgrade yet, but I need to be able to configure the same site setting now, with v2.
guanzo
on 8 Sep 2020
Related issues
epicfaace
·
3Comments
rygo6
·
3Comments
ddemoll
·
3Comments
josoroma
·
3Comments
simon998yang
·
3Comments
Most helpful comment
We're in need of this as well. Our use case is that some customers iframe parts of our app into their portals and internal websites. This functionality breaks in the latest stable version of Chrome unless we add the
samesiteattribute.I'm willing to open a pull-request for this, following the contribution guidelines, if I can get the go ahead from a repo owner.