Safari not sending cookie even after setting SameSite=None; Secure
Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None
is erroneously treated as SameSite=Strict
, e.g. the most restrictive setting.
I've published some guidance in SameSite cookie recipes on either:
- Using two sets of cookies to account for browsers that support
SameSite=None; Secure
and those that don't. - Sniffing the user agent for incompatible browsers and not serving
SameSite=None
for those requests.
This is an issue also in Safari 14. Safari is not sending third-party cookies by default anymore. This is because they introduced Privacy Preference: "Prevent cross-site tracking" which is turned on by default. So if you set your cookies with SameSite=None; Secure
they still don't be set and sent cross-domain.
For applications coded in Ruby (specifically, Rails, Sinatra, or anything atop Rack), the RailsSameSiteCookie gem solves this and related issues quite nicely. The code reads like a near translation of the pseudocode in the Chromium discussion without the brittle regex's.