Opening in a normal new tab should work as well. I think it's because clicking a photo normally uses client-side navigation (navigates with JS), while opening in a new tab will fetch the entire new page.

actually normal tab wasnt.. i was a little surprised

Shopify has an App Store. I'm assuming they can copy popular apps from there.

Does this mean that if we use SameSite=Lax for our session cookies, we don't need to worry about CSRF attacks?

Mostly, if you opt in: https://caniuse.com/#feat=same-site-cookie-attribute . SameSite=Lax will still send cookies for some types of GET requests, depending on the complexity of your site and UX there are ways to be more protected (with SameSite=Strict, cookie pairs etc.)

Once all browsers behave like Chrome is trying to (SameSite=Lax by default) we will have dramatically less CSRF on the web. Other browsers are likely to adopt this change eventually if Chrome sticks with it. You will at least need to consider users with out-of-date browsers for a while yet (and implement XSRF tokens and/or explicitly opt-in to Lax/whatever).

The old behaviour will still (and always?) be around with SameSite=None. It has uses, but misuses could create CSRF vulnerabilities. There will still be CSRF problems on the web but it will get a lot rarer and, mercifully, not the default.

This API is a disaster. None is insecure, but Lax is private?

Lax and Strict are adjectives. What are they even modifying? Not "SameSite"! They are referring to "SameSiteRestriction" or something.

Why not align with CS of CSRF as AllowCrossSite, and values Always / OnUserRequest / Never ?

A gift card directory for NYC restaurants.

We're hoping this can help local restaurants survive COVID-19.

https://menurescu.com/