Re-lax la portée des cookies (#371)

Co-authored-by: Guillaume Grossetie <[email protected]>
EcrituresNumeriques · May 2, 2021 · 5d61c9e · 5d61c9e
1 parent 747664e
commit 5d61c9e
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/graphql/app.js b/graphql/app.js
@@ -58,8 +58,7 @@ const secureCookie = process.env.HTTPS === 'true'
 // When using 'strict' value, cookies will not be sent along with requests initiated by third-party websites.
 // Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
 const allowedOrigins = (origin ?? '').split(' ').filter(v => v).map(o => new RegExp('^' + o))
-// Note that SameSite=none requires secure
-const sameSiteCookies = allowedOrigins.length === 1 ? 'strict' : secureCookie ? 'none' : 'lax'
+const sameSiteCookies = process.env.NODE_ENV === 'production' ? 'lax' : 'none'
 if (sameSiteCookies === 'none') {
   console.warn('Cookies are configured with `sameSite: none`.')
 }