|
|
@@ -208,11 +208,6 @@ The user receives an email at https://email.example.org that includes a link to
|
|
|
If the user clicks on the link, they would rightfully expect to be authenticated to the social media site.
|
|
|
However, if the `SameSite` attribute is `Strict`, the cookie would not be sent and so the user would not be authenticated.
|
|
|
|
|
|
-[NOTE]
|
|
|
-====
|
|
|
-We could improve the protection and usability of `SameSite` protection against CSRF attacks by implementing https://github.com/spring-projects/spring-security/issues/7537[gh-7537].
|
|
|
-====
|
|
|
-
|
|
|
Another obvious consideration is that, in order for the `SameSite` attribute to protect users, the browser must support the `SameSite` attribute.
|
|
|
Most modern browsers do https://developer.mozilla.org/en-US/docs/Web/HTTP/headers/Set-Cookie#Browser_compatibility[support the SameSite attribute].
|
|
|
However, older browsers that are still in use may not.
|
Marcus Hert Da Coregio