18F · sbc100 · Jun 21, 2016 · Jun 21, 2016
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
@@ -25,8 +25,10 @@
   config.cookies = {
     secure: true, # mark all cookies as "Secure"
     httponly: true, # mark all cookies as "HttpOnly"
+    # We need to set the SameSite setting to "Lax", not "Strict" until this bug
+    # is fixed in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=619603
     samesite: {
-      strict: true # mark all cookies as SameSite=Strict
+      lax: true # mark all cookies as SameSite=Lax.
     }
   }
   # Temporarily disabled until we configure pinning. See GitHub issue #1895.