That exception is temporary and will go away at some point. The specific situation that covers is for top-level, cross-site POST requests that require cookies. These should be set with SameSite=None; Secure as a permanent fix, not rely on the exception. This was added to account for a number of individual single sign-on implementations using this pattern to receive a CSRF token in their cookie - it is not related to the Safari issue.
The Safari issue is due to their implementation matching a much earlier version of the draft. As a result, if you need the cookie to work in all browsers you can use the double cookie solution proposed in web.dev/samesite-cookie-recipes/#h...
That exception is temporary and will go away at some point. The specific situation that covers is for top-level, cross-site POST requests that require cookies. These should be set with
SameSite=None; Secureas a permanent fix, not rely on the exception. This was added to account for a number of individual single sign-on implementations using this pattern to receive a CSRF token in their cookie - it is not related to the Safari issue.The Safari issue is due to their implementation matching a much earlier version of the draft. As a result, if you need the cookie to work in all browsers you can use the double cookie solution proposed in web.dev/samesite-cookie-recipes/#h...
Thank you Rowan for your input on this issue 🙏🏼