core: set SameSite=Lax on authentication cookie
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02 SameSite=None breaks the compatibility with some browser versions. https://www.chromium.org/updates/same-site/incompatible-clients We choose Lax and not Strict so that we can open links to ERP5 from external applications and so that OAuth Logins work. Implementing the "two cookies, one for read one for write" approach suggested in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-8.8.2 would be too big change at this point. Allow instances to surcharge the SameSite value for some specific domains if needed, by surcharging the ERP5Site_getAuthCookieSameSite script.
Showing with 86 additions and 2 deletions