Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Normal
Google authentication seems to work okay with Chrome 99 for me.However, I still think it would be a good idea to set samesite explicitly within XenForo vs. rely on whatever browsers think should be the default (which sometimes changes between browser versions) or at least allow sites to set what they want samesite to be via a config setting (similar to secure). See: https://xenforo.com/community/threads/problems-with-google-authentication-not-working.202235/post-1559552My particular use case is I have something built with XenForo that is intended to display inside an iframe (on a different site). Setting samesite to None allows users to stay logged in within that iframe. I've worked around it by extending XF\Http\Response::setCookieRaw(), so it's not a dealbreaker, but it would be nice (and what happens if future browser versions decide again to change what the default should be?). The reasoning that browsers recently switched the default to samesite=lax is to protect against CSRF attacks on sites that are poorly designed. XenForo has robust CSRF protection at it's core, so the new default that is more restrictive serves no purpose in XenForo.[URL unfurl="true"]https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite[/URL]
Google authentication seems to work okay with Chrome 99 for me.
However, I still think it would be a good idea to set samesite explicitly within XenForo vs. rely on whatever browsers think should be the default (which sometimes changes between browser versions) or at least allow sites to set what they want samesite to be via a config setting (similar to secure). See: https://xenforo.com/community/threads/problems-with-google-authentication-not-working.202235/post-1559552
samesite
secure
My particular use case is I have something built with XenForo that is intended to display inside an iframe (on a different site). Setting samesite to None allows users to stay logged in within that iframe. I've worked around it by extending XF\Http\Response::setCookieRaw(), so it's not a dealbreaker, but it would be nice (and what happens if future browser versions decide again to change what the default should be?).
None
XF\Http\Response::setCookieRaw()
The reasoning that browsers recently switched the default to samesite=lax is to protect against CSRF attacks on sites that are poorly designed. XenForo has robust CSRF protection at it's core, so the new default that is more restrictive serves no purpose in XenForo.
samesite=lax
[URL unfurl="true"]https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite[/URL]
We use essential cookies to make this site work, and optional cookies to enhance your experience.
See further information and configure your preferences
