From c24d4fd7fd616268af3a60218d2cae6a9f7160d0 Mon Sep 17 00:00:00 2001 From: "Stanko K.R." Date: Tue, 24 Mar 2026 15:17:05 +0100 Subject: [PATCH] Use Same-site: Lax This is a guess based on a few articles I read where Windows Hello doesn't play nice with Same-Site: Strict. I have no credible evidence to back this up. --- lib/action_pack/passkey/challenges_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/action_pack/passkey/challenges_controller.rb b/lib/action_pack/passkey/challenges_controller.rb index bec1770b0..82886266a 100644 --- a/lib/action_pack/passkey/challenges_controller.rb +++ b/lib/action_pack/passkey/challenges_controller.rb @@ -24,7 +24,7 @@ class ActionPack::Passkey::ChallengesController < ActionController::Base def create challenge = create_passkey_challenge - cookies.encrypted[COOKIE_NAME] = { value: challenge, httponly: true, same_site: :strict, secure: !request.local? && request.ssl? } + cookies.encrypted[COOKIE_NAME] = { value: challenge, httponly: true, same_site: :lax, secure: !request.local? && request.ssl? } render json: { challenge: challenge } end