fix: Use SameSite=Lax on cookies

The use of SameSite=Strict on the aurweb cookies currently breaks navigation from third-party origins. For example navigating to aurweb from a search engine or a webmail provider leads to confusion because the chosen language and login session ID isn't sent by the browser in these cases.

The fix for this is to use SameSite=Lax, which is similar to SameSite=Strict except that cookies are sent when the user navigates cross-site. For example by server-initiated redirects or following a hyperlink. Like SameSite=Strict, in the case of JavaScript XHR or HTML resource fetches (<link>, <script>, <img>, etc), cookies are not sent. See more about SameStrict=Lax here.

I have prepared a test page for manual testing at https://pages.x0.is/aurweb-samesite-lax-test.html This page includes various ways to redirect to https://localhost:8444/. So to test, you'd just need to start up aurweb locally with disable_http_login=1.

In addition to adjusting the existing secure login test, this MR also adds a test for insecure logins (disable_http_login=0) to improve test coverage a little bit.

added 1 commit

• cf083bed - Use SameSite=Lax on cookies

Compare with previous version

changed milestone to %August release 6.1.0

Other than the doc. review comment up here, just one small request: could you add fix: to the front of your commit's subject line via --amend? Without fix: (or some other git-cliff used prefix), the change won't be included with git-cliff notes.

added 1 commit

• f1073296 - fix: Use SameSite=Lax on cookies

Compare with previous version

resolved all threads

resolved all threads

mentioned in issue #351 (closed)

merged

mentioned in issue #325 (closed)