Services with absent engineers should be breaking left and right this month due to changes to SameSite attributes on cookies that hit browsers in early Feb. The intention of the change is to provide some long overdue changes to defaults on cookies with better privacy.
This is a change that’s been underway for years but came as a surprise when it actually shipped. I coordinated updates to ~40 packages owned by 5 different teams at my company, and had to put aside a good amount of other critical product work for about a week to ensure we didn’t encounter any customer issues.
The crux of the issue for maintainers is that Auth flows that require cookies to be sent around different origins (e.g. OAuth with form_post) will no longer work unless they update the cookies to explicitly be SameSite=none and Secure=true. Chrome led the pack on shipping the changes to browsers, but also implemented a special timeout rule that temporarily allows cookies that don’t meet the new spec to be set anyway to try to ensure auth flows don’t break. Eventually they will lift this timeout. Firefox has shipped support but has not implemented such a timeout.
This is a change that’s been underway for years but came as a surprise when it actually shipped. I coordinated updates to ~40 packages owned by 5 different teams at my company, and had to put aside a good amount of other critical product work for about a week to ensure we didn’t encounter any customer issues.
The crux of the issue for maintainers is that Auth flows that require cookies to be sent around different origins (e.g. OAuth with form_post) will no longer work unless they update the cookies to explicitly be SameSite=none and Secure=true. Chrome led the pack on shipping the changes to browsers, but also implemented a special timeout rule that temporarily allows cookies that don’t meet the new spec to be set anyway to try to ensure auth flows don’t break. Eventually they will lift this timeout. Firefox has shipped support but has not implemented such a timeout.