Like a lot of people lattely, I have a few problems with SameSite and secure.
We have a website, where our user must be logged in to buy some stuff.
When our user want to pay, he is then redirected to the payment plateform. Once he has made the payment he is then redirected to our website.
The problem is that with browsers such as chrome he is no longer logged in,; and we can't display the order informations anymore. Many of our user did not understand and attemps to order multiple time.
From what I understood (How can I redirect after OAUTH2 with SameSite=Strict and still get my cookies?), because of the samesite policy is by default Lax, when he is being redirected to the payment interface and then back to our website, the cookies chain is broken and the cookies from our website are not send, and that is why our user is no longer connected.
I could set Samesite to none but then that would means that our website is vulnerable.
I also made a few research with content secure policy and was wondering if using CSP it was possible to set Samesite=none and with CSP to be able to prevent ?
If you don't specify the samesite flag, only Chrome/Edge will treat them as Lax be default. Setting your cookies to SameSite=none will not make them more insecure that they were before "lax by default" in Chromium or in other browsers.
Lax by default protects your users from tracking and CSRF. If you have some other CSRF mitigation in place you are probably not vulnerable when setting SameSite=none. CSP doesn't help you in this case.