From 8258a6a832a6d33a9d45a3a954ead134145b6090 Mon Sep 17 00:00:00 2001 From: Paulo Margarido Date: Tue, 9 Feb 2021 15:00:46 -0500 Subject: [PATCH] Set OAuth cookies SameSite to lax --- CHANGELOG.md | 1 + src/auth/oauth/oauth.ts | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7719455cf..07d3f2ed4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). - Webhooks types are now exported outside the library [#91](https://github.com/shopify/shopify-node-api/pull/91) ### Fixed - Use cryptographically random bytes to generate nonce [#98](https://github.com/Shopify/shopify-node-api/pull/98) +- Stop using `SameSite=none` cookies for OAuth, using `lax` instead [#100](https://github.com/Shopify/shopify-node-api/pull/100) ## [0.3.1] - 2021-02-03 ### Fixed diff --git a/src/auth/oauth/oauth.ts b/src/auth/oauth/oauth.ts index 6c9098724..d92a9a6f4 100644 --- a/src/auth/oauth/oauth.ts +++ b/src/auth/oauth/oauth.ts @@ -63,7 +63,7 @@ const ShopifyOAuth = { cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, session.id, { signed: true, expires: new Date(Date.now() + 60000), - sameSite: 'none', + sameSite: 'lax', secure: true, }); @@ -173,7 +173,7 @@ const ShopifyOAuth = { cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, currentSession.id, { signed: true, expires: oauthSessionExpiration, - sameSite: 'none', + sameSite: 'lax', secure: true, });