I do not think that this can be done for security reasons. SameSite=Strict means that if a user was redirected or simply clicked on a link to your site (from another host), cookies should not be sent. And redirection is like chaining requests. Therefore, if your server is redirected to another one, and this server redirects back immediately with the 3xx code, a cookie will be sent because your server is "on top" of this chain.
However, if you are redirected to the oauth provider, and the user must allow you access to his account, this means that this "chain" is broken and the cookie will no longer be sent even if your site sets it (it is installed, however, does not sent). Your redirect is simply an βextensionβ of the clicked βallowβ link.
If you want other users not to depend on your site, just use nonce in the link if you think you need to prevent this behavior, and this can be dangerous if you do not. But consider that most providers check you if the redirect URL was previously defined and resolved by your application.
Here are other solutions (use only if you know what you are doing, and you can take 100% responsibility).
- Prepare the site with the link "Continue to the site" (the cookie, of course, will be sent after the link to the link).
- Refresh Window Using JavaScript
- Prepare a site with JavaScript that redirects the user.
- Combine the first and third methods with a cleaner solution and work without JavaScript support in the browser.
I used the second one during development, now I use the same lax site (this was the default in Hapi, possibly up to 15 ver., So this is not so bad).
Alan mroczek
source share