SameSite=Strict prevents the browser from sending the HttpOnly refresh token cookie in cross-origin contexts like the Electron desktop app, where the page runs on localhost but the API is on a remote host. This caused sessions to expire quickly because refresh requests never included the cookie. SameSite=None allows cross-origin sending while HttpOnly still prevents JavaScript from reading the cookie value (XSS protection). Resolves #2309 |
||
|---|---|---|
| .. | ||
| auth | ||
| avatar | ||
| background | ||
| dump | ||
| keyvalue | ||
| migration | ||