It appears that Safari 16.4+ sometimes loses SameSite cookies without explicit
expiry when performing subrequests, e.g. to load JavaScript or when using
`fetch()`. The conditions apply to the XSRF-Token cookie. Now if one of the
subrequests hits the application, the application will hand out a fresh
XSRF-Token cookie, due to the cookie being missing. This results in spurious
changes of the XSRF-Token and thus error messages for the user.
According to comments in the WebKit Bug a workaround for the issue is not
providing a SameSite attribute at all and we leverage this workaround for the
time being: The SameSite attribute on the XSRF-Token cookie is a defense in
depth measure.
see https://bugs.webkit.org/show_bug.cgi?id=255524
see https://www.woltlab.com/community/thread/299769-fehlerhafter-xsrf-token/
(cherry picked from commit
832de3617df81b357430f8d99527dc34efd277a7)
// SameSite=lax is not supported in a multi domain set-up, because
// it breaks cross-application requests.
$sameSite = '; SameSite=lax';
+
+ // Workaround for WebKit Bug #255524.
+ // https://bugs.webkit.org/show_bug.cgi?id=255524
+ $sameSite = '';
}
if (!HTTP_SEND_X_FRAME_OPTIONS) {