Remove :same-site :strict default

weavejester · weavejester · commit 002814ab51f1 · 2023-09-08T20:13:49.000+01:00
Browsers default to :lax, which is a more sensible default. Fixes #32.
diff --git a/src/ring/middleware/defaults.clj b/src/ring/middleware/defaults.clj
@@ -42,7 +42,7 @@
                :keywordize true}
    :cookies   true
    :session   {:flash true
-               :cookie-attrs {:http-only true, :same-site :strict}}
+               :cookie-attrs {:http-only true}}
    :security  {:anti-forgery   true
                :frame-options  :sameorigin
                :content-type-options :nosniff}
diff --git a/test/ring/middleware/defaults_test.clj b/test/ring/middleware/defaults_test.clj
@@ -29,8 +29,7 @@
       (is (= (get-in resp [:headers "Content-Type"]) "application/octet-stream"))
       (let [set-cookie (first (get-in resp [:headers "Set-Cookie"]))]
         (is (.startsWith set-cookie "ring-session="))
-        (is (.contains set-cookie "HttpOnly"))
-        (is (.contains set-cookie "SameSite=Strict")))))
+        (is (.contains set-cookie "HttpOnly")))))
 
   (testing "default charset"
     (let [handler (-> (constantly (-> (response "foo") (content-type "text/plain")))
