|
|
|
|
|
|
by rowan_m
2423 days ago
|
|
|
Correct, in that I think of a "Site" as an entity defined a layer above the "Domain". However the "Domain" attribute and the "SameSite" attribute control different behaviour. "SameSite" affects sending the cookie in situations where top-level site in the browser context is different from the target site of the request where the browser is determining if it should send cookies. e.g. on example.site with an iframe to widget.site "Domain" determine the the highest level domain to which cookies should be sent, regardless of the browsing context. e.g. on example.site an iframe on widgets.example.site or top-level navigation to accounts.example.site https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Se... details:
> * If omitted, defaults to the host of the current document URL, not including subdomains.
> * If a domain is specified, subdomains are always included. |
|
|
I have a couple of setups where an application has a single sign-on for root and subdomains. The shared cookie has the Domain attribute set to the root domain, but (so far) they have no explicit SameSite attribute.
I searched around and came to the conclusion that the above setup will behave the same way with new default SameSite=Lax. However, there wasn't a canonical reference that I could point to, to prove this works as I expect.