relationship between sameSite and the secure option?

[johaven]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

From my understanding there is no relationship between the secure option and the sameSite option that can be applied to the cookie. This code makes it impossible to configure sameSite to 'strict' for non https connections (a little annoying for developments).

Additionally the sameSite option is examined during serialization

if (opts.secure === 'auto') {
    if (isConnectionSecure(reply.request)) {
      opts.secure = true
    } else {
      opts.sameSite = 'lax' // remove this
      opts.secure = false
    }
  }

[mcollina]

I don't understand what's the ask here. Can you clarify?

[johaven]

I don't understand why the sameSite value is set here, it doesn't make any sense. I think it should be deleted

[gurgunday]

What problem do you encounter when it's set to lax like that?

Lax should be the minimum default but I agree that it could be applied more consistently

Maybe ||= could be preferred to not override a user setting

[johaven]

By setting the value to strict we actually obtain the Lax value if we are not in a secure context, but there is no meaningful relationship between secure and samesite. In any case this parameter is examined later, when serializing the cookie, as you prefer :)