From 51c570c3f76465d0db4f641a858e265d90edaeef Mon Sep 17 00:00:00 2001
From: Zach Margolis <zachmargolis@users.noreply.github.com>
Date: Wed, 26 Apr 2017 15:52:15 -0700
Subject: [PATCH] Merge pull request #1403 from 18F/margolis-1915-lax-cookie

Set SameSite=Lax to fix OIDC CSP issue
---
 config/initializers/secure_headers.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 0c50fa271b0..4cb72d23186 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -45,7 +45,7 @@
     secure: true, # mark all cookies as "Secure"
     httponly: true, # mark all cookies as "HttpOnly"
     samesite: {
-      strict: true # mark all cookies as SameSite=Strict.
+      lax: true # SameSite setting.
     },
   }