The source project of this merge request has been removed.
Fix: remote follows should not ask user to log-in again for authorization
#804 (closed) Pleroma's default for SameSite cookie attribute is 'Strict', meaning that any request originating from another domain will not send cookies that were set by logging in to the target domain. The intention is to prevent CSRF attacks.
I think we can set the default to 'Lax', to prevent remote follows from prompting the user to log-in again. This change shouldn't make us any more vulnerable to CSRF since Pleroma follows semantics of safe methods.