Next-i18next: Firefox warning next-i18next cookie not secure

Created on 23 Apr 2020  ·  9Comments  ·  Source: isaachinman/next-i18next

I'm getting this warning in Firefox 76 with next-i18next 4.3.0:

Cookie “next-i18next” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

picture win7ers

All 9 comments

Read the docs.

  // optional expire and domain for set cookie
  cookieExpirationDate: new Date(),
  cookieDomain: 'myDomain',
  cookieSecure: true // if need secure cookie
isaachinman picture isaachinman on 23 Apr 2020
👀3

It looks like SameSite cannot be easily overridden: https://github.com/i18next/i18next-http-middleware/blob/5a2ee9a8188ce5d108ce3ee158054cf5ecb47d45/lib/languageLookups/cookie.js#L78-L83

I guess cookieDomain is the way to go for now.

Sidenote: because the config options are not merged, you'll need to re-add all the default options from next-i18next in your config:

new NextI18next({
  // ...
  detection: {
    lookupCookie: 'next-i18next',
    order: ['cookie', 'header', 'querystring'],
    caches: ['cookie'],
    cookieDomain: 'yourwebsite.com',
  },
})
martpie picture martpie on 22 May 2020

I am not able to make this work, the SameSite remains none.

I'm using version 4.5.0

Here's my initisalisation code:

const nextI18Next = new NextI18Next({
    defaultLanguage: 'en',
     otherLanguages: [],
    localePath: 'src/public/static/locales',
    localeSubpaths: {
        en: 'en',
    },
    serverLanguageDetection: false,
    // debug: true
    detection: {
        lookupCookie: 'lang',
        caches: ['cookie'],
        cookieExpirationDate: new Date().setMonth(new Date().getMonth()+2),
        cookieSameSite: 'strict',
    },


});
rparree picture rparree on 28 Jul 2020

Yes, I need to submit a PR with the updated dependency, but we fixed it upstream.

martpie picture martpie on 28 Jul 2020

@martpie We do deep merge some nested objects. What sort of PR did you have in mind?

isaachinman picture isaachinman on 28 Jul 2020

Didn't we want to backport this at some point? https://github.com/i18next/i18next-http-middleware/pull/8

martpie picture martpie on 28 Jul 2020

@martpie We might just need to bump i18next-http-backend to v2.0.0?

isaachinman picture isaachinman on 28 Jul 2020

should do the trick indeed 🤔

martpie picture martpie on 28 Jul 2020

Looks like v3.0.2 is the latest. Do you want to open a PR, or shall I?

isaachinman picture isaachinman on 28 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MichaelIT picture MichaelIT  ·  4Comments
MrAvantiC picture MrAvantiC  ·  3Comments
Jonesus picture Jonesus  ·  6Comments
slava-lu picture slava-lu  ·  6Comments
dohomi picture dohomi  ·  5Comments