Hacker News new | past | comments | ask | show | jobs | submit login

I don't understand why you sometimes need to not send the header. What happens if you do, in those cases?

https://bugs.webkit.org/show_bug.cgi?id=198181 . If you tell Safari SameSite=None it treats it as SameSite=Strict. If you tell Chrome a couple months from now without SameSite=None, you get SameSite=Lax. There's no way to do this without UA sniffing.

That seems like a pretty egregious bug, presumably there's a spec someone is in violation of?

The blame lies somewhere between Safari and Chrome. The "None" value was added after the Safari implementation, and then Chrome wants to do the default-changing this year now. Unfortunately it looks like the fix isn't going to get backported to iOS 12, so here we are :-(

The point is that UA sniffing provides a last resort way of dealing with bugs in browsers until they are properly fixed (if ever). Imperfect as UA sniffing is, it's a lot better than having literally no way to identify and fix an issue people are having.

The question here is whether the browser is a tool to solve your business issues, or whether it is a a service that is more similar to police, firefighters or healthcare. I am way more biased towards the second.

Safari was not following the spec.

Depends on whuch spec you mean. Older versions of safari (anf chrome) were following the original proposed standard (rfc 6265), which said invalid values should be treated as strict. Later versions of Chrome are following a later internet-draft (rfc 6265bis, which I think was proposed by google), that introduced SameSite=none, and changed the behavior for unknown values to be the same as none.

If you send SameSite=None, Chrome 51 through 66 ignore the Set-Cookie header. Chrome 80 requires SameSite=None for cross domain POSTs (e.g. authentication). Google is recommending removing the User-Agent header while Google websites use User Agent detection to workaround bugs in Google User Agents. See https://www.chromium.org/updates/same-site/incompatible-clie... for details of other incompatible User Agents.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact