Setting a cookie doesn’t always have the same behavior. If you set a cookie on a domain listed in the public suffix list using SameSite=strict, it will get blocked by CORS even if they request and the cookie are coming from the same domain.
This makes sense for certain domains that are primarily used to host the sites of multiple users like compute.amazonaws.com for AWS resources or githubpreview.dev which serves preview for GitHub Codespaces. You wouldn’t want a different user hosted on the same domain to be able to set cookies for your users' site because that would be a security issue.
A workaround is to use SameSite=none and the prerequisite Secure attribute to set the cookie, but this effectively allows cross site cookies which requires other security measures to lock down.
See also:
- This is another gotcha for GitHub Codespaces like how they don’t allow requests across ports from a preview
SameSiteis important to prevent cross site request forgery (CSRF) attacks
Links to this note
-
Running Docker Compose in Codespaces
Using the built-in
docker-composeconfiguration in GitHub Codespaces is limited. It’s better to rundocker-composeinside the Codespace but this requires a docker-in-docker setup which is finicky.