cookies: Use `Lax` instead of `Strict` for `SameSite`

src/node/hooks/express/webaccess.js

@@ -228,8 +228,6 @@ exports.expressConfigure = (hook_name, args, cb) => {
     exports.secret = settings.sessionKey;
   }
 
-  const sameSite = settings.ssl ? 'Strict' : 'Lax';
-
   args.app.sessionStore = exports.sessionStore;
   args.app.use(sessionModule({
     secret: exports.secret,
@@ -239,12 +237,9 @@ exports.expressConfigure = (hook_name, args, cb) => {
     name: 'express_sid',
     proxy: true,
     cookie: {
-      /*
+      // `Strict` is not used because it has few security benefits but significant usability
-       * Firefox started enforcing sameSite, see https://github.com/ether/etherpad-lite/issues/3989
+      // drawbacks vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
-       * for details.  In response we set it based on if SSL certs are set in Etherpad.  Note that if
+      sameSite: 'Lax',
-       * You use Nginx or so for reverse proxy this may cause problems.  Use Certificate pinning to remedy.
-       */
-      sameSite: sameSite,
       /*
        * The automatic express-session mechanism for determining if the
        * application is being served over ssl is similar to the one used for

src/static/js/pad_utils.js

@@ -532,7 +532,9 @@ padutils.binarySearch = require('./ace2_common').binarySearch;
 // window object.
 if (typeof window !== 'undefined') {
   exports.Cookies = require('js-cookie/src/js.cookie');
-  exports.Cookies.defaults.sameSite = window.location.protocol === 'https:' ? 'Strict' : 'Lax';
+  // `Strict` is not used because it has few security benefits but significant usability drawbacks
+  // vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
+  exports.Cookies.defaults.sameSite = 'Lax';
   exports.Cookies.defaults.secure = window.location.protocol === 'https:';
 }
 exports.randomString = randomString;