-
-
Notifications
You must be signed in to change notification settings - Fork 489
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add setting to use cross-origin cookie for "detectBrowserLocale" #853
Conversation
change locale cookie options sameSite to none allow setting cookie in iFrame integration
It doesn't seem like I think it would need to be an option instead so one can customize if needed. |
An option would also work for me. But it is a common issue and I don‘t see a problem using SameSite=None and secure since the information in the cookie is not critical. |
I don't know how (But as I said, I haven't experimented with |
That’s not the case. Actually, none is the most universal option and won‘t restrict the application of the cookie at all. It is only important to prevent none when storing sensible information in the cookie which must not be leaked to other sites. Having none allows other domains to read the cookie, too. |
But I just discovered that the linked PR is incomplete. There is still some validation in place which does not allow the none setting and throws an error. |
Sorry to write it here but Instead of adding another option or changing cookie settings there is already a PR that handles your case so basically we should wait for it. Thanks. |
@divine yes, it sounds similar, but I don‘t see this option as a solution for my needs. I don‘t want to disable redirects at all, I just want it to work in an iFrame and therefor the cookie settings need to be changed. |
I've read up on SameSite and I think it would be fine to use SameSite=None. The cookie we are talking about here is not security or session-related so it doesn't pose a risk when sent from third-party sites. The only thing is that SameSite=None is fairly new so if we only send this one, an older browser versions will not understand it. The good thing is that they should default to Lax then but that can trigger a warning in the developer console. |
@rchl thank you for checking. I have to correct myself, the PR is working. I had a local issue where another package required cookie@0.3 while the cookie package only supports samesite=none from 0.4. But the deps in this repo are correct, so this was only a specific issue for me. |
I don't think your PR should be merged at all. Here is a reason from web.dev.
Anyways, what you're trying to achieve doesn't require cookie change, you should await another PR which is definitely what you're looking for. Thanks! |
Yes, using @divine Those are separate issues at the root because here the cookie is always ignored, regardless if visiting default or non-default locale. |
@rchl well, that was what I've understand from that message.
Basically, another PR could probably resolve this, that's why I'd mentioned sorry to write it here :) Thanks! |
You‘re right, secure is missing. But the issue is not only about non-default locales, its more general. |
add secure option to cookie
add option crossOriginCookie to enable sameSite: none and secure: true cookie settings
pass crossOriginCookie to setLocaleCookie
add default for crossOriginCookie
add crossOriginCookie to type definition
add crossOriginCookie to docs
@rchl I added an option to enable the cross-origin cookie. I would appreciate if you can review the changes. |
Can you also update |
remove bool casting
update es docs for browser language detection
@rchl all done, thanks for the comments! |
Basically by default cookie has now Why should be Doesn't make sense. |
@divine secure: false is and was the default value (even if not explicitly specified). So no changes to default. |
@lucianholt97 thank you |
Note that I'm renaming this option from |
change locale cookie options sameSite to none
-> allow setting cookie in iFrame integration
closes #852