Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None
is erroneously treated as SameSite=Strict
, e.g. the most restrictive setting.
I’ve published some guidance in SameSite cookie recipes on either:
- Using two sets of cookies to account for browsers that support
SameSite=None; Secure
and those that don’t. - Sniffing the user agent for incompatible browsers and not serving
SameSite=None
for those requests.