Set OAuth cookies SameSite to lax

CHANGELOG.md

@@ -10,6 +10,7 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 - Webhooks types are now exported outside the library [#91](https://github.com/shopify/shopify-node-api/pull/91)
 ### Fixed
 - Use cryptographically random bytes to generate nonce [#98](https://github.com/Shopify/shopify-node-api/pull/98)
+- Stop using `SameSite=none` cookies for OAuth, using `lax` instead [#100](https://github.com/Shopify/shopify-node-api/pull/100)
 
 ## [0.3.1] - 2021-02-03
 ### Fixed

src/auth/oauth/oauth.ts

@@ -63,7 +63,7 @@ const ShopifyOAuth = {
     cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, session.id, {
       signed: true,
       expires: new Date(Date.now() + 60000),
-      sameSite: 'none',
+      sameSite: 'lax',
       secure: true,
     });
 
@@ -173,7 +173,7 @@ const ShopifyOAuth = {
     cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, currentSession.id, {
       signed: true,
       expires: oauthSessionExpiration,
-      sameSite: 'none',
+      sameSite: 'lax',
       secure: true,
     });