Talk proposal: cookies_same_site_protection :lax or :strict which is better and why? #198
Comments
|
Hey There, if 10min or less, would you be interested in doing it this month on the 29th? |
|
@Dipesh8Bhatta heya, any news on that? would you want to do it next week? |
|
Hi Kevin,
I am out of the country at the moment.
I will reach you out when I am back.
Thanks,
Dipesh
…On Mon, May 22, 2023, 9:53 AM Kevin Garcia-F ***@***.***> wrote:
@Dipesh8Bhatta <https://github.com/Dipesh8Bhatta> heya, any news on that?
whould you want to do it next week?
—
Reply to this email directly, view it on GitHub
<#198 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABSFSQP4H6QZJHPXJ7OVLPLXHKTINANCNFSM6AAAAAAUF46VHY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From Rails 6.1, Rails.application.config.action_dispatch.cookies_same_site_protection has been added to it. It has :lax, :strict and :none as options.
I believe :lax is as good as :strict in the context of security and in top of this :lax provides good user experience. I would like someone to discuss on this matter. And explain that :lax is not less in protecting cross-origin request than :strict.
I have read in medium: https://lilyreile.medium.com/rails-6-1-new-framework-defaults-what-they-do-and-how-to-safely-uncomment-them-c546b70f0c5e and couple of other sites about it.
The text was updated successfully, but these errors were encountered: