You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Repec's Set-Cookie response header includes "SameSite=Strict"
Rationale
This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of pulibrary/dacs_handbook#154
If a user logs into Repec, navigates to a non-Princeton Web site (e.g. Outlook), and then clicks a link from that Web site back to Repec, they will need to log in to Repec again.
Success criteria
Rationale
This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases. Part of pulibrary/dacs_handbook#154
Example PR
pulibrary/orangelight#3932
Tradeoff
If a user logs into Repec, navigates to a non-Princeton Web site (e.g. Outlook), and then clicks a link from that Web site back to Repec, they will need to log in to Repec again.
Further reading
I found this from Mozilla, this from Portswigger, and this blog post from Andrew Lock to be helpful in understanding this topic.
The text was updated successfully, but these errors were encountered: