Issue with SameSite attribute with rails

1
votes

I've got an issue which is popping in the console of my web browser while I want to show a picture from Cloudinary. Exactly here is the message : Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute

Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use. Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests

I don't know where I can change this(SameSite set up) in order to allow my pictures to be viewed.

Thanks

1
ruby-on-railscookiescloudinarysamesite
Is this a warning or an actual blockers? If you open in incognito, do you see the same messages? - Daniel Mendoza

1 Answers

0
votes

Do you use other cookies than your session_key (or complete session if you use session_store :cookie_store)?
I don't think you need your session id to access pictures from Cloudinary (you authentcate with your api_key and api_secret.

IMHO session_key should be restricted to your own site, so extend your session_store options (i.e. in config/initializers/session_store.rb) from

Rails.application.config.session_store :cookie_store, key: 'session_key'

to

Rails.application.config.session_store :cookie_store, key: 'session_key', same_site: :strict