Chrome 80, iframes and cookies
Google is always kind enough to provide us with something to do. This time it's about Chrome defaulting cookies to SameSite=Lax and a relatively new SameSite=None
option.
I'm building Shopify apps using Django. The app is embedded inside stores admin meaning I can't use Strict or Lax. Django did the same thing and on August 2018 added SESSION_COOKIE_SAMESITE
which defaults to Lax. The way I see it changing defaults on the server-side is a good step. However, this change on the browser side came just too quickly for the ecosystem to adapt. The frameworks haven't caught up yet and even if they did they would have to consider incompatible browsers.
I and tystar wrote a middleware for Django 2.2.x and 3.x to handle this. This middleware should be placed before any other middleware.
MIDDLEWARE = [
"django_toolbox.cookies_middleware.SamesiteCookieMiddleware",