Set OAuth cookies SameSite to lax

Shopify · Feb 9, 2021 · 8258a6a · 8258a6a
1 parent ce3671a
commit 8258a6a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 - Webhooks types are now exported outside the library [#91](https://github.com/shopify/shopify-node-api/pull/91)
 ### Fixed
 - Use cryptographically random bytes to generate nonce [#98](https://github.com/Shopify/shopify-node-api/pull/98)
+- Stop using `SameSite=none` cookies for OAuth, using `lax` instead [#100](https://github.com/Shopify/shopify-node-api/pull/100)
 
 ## [0.3.1] - 2021-02-03
 ### Fixed

diff --git a/src/auth/oauth/oauth.ts b/src/auth/oauth/oauth.ts
@@ -63,7 +63,7 @@ const ShopifyOAuth = {
     cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, session.id, {
       signed: true,
       expires: new Date(Date.now() + 60000),
-      sameSite: 'none',
+      sameSite: 'lax',
       secure: true,
     });
 
@@ -173,7 +173,7 @@ const ShopifyOAuth = {
     cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, currentSession.id, {
       signed: true,
       expires: oauthSessionExpiration,
-      sameSite: 'none',
+      sameSite: 'lax',
       secure: true,
     });