From 80b12ee25c44c17a4f16e1719312d6d06f2032cd Mon Sep 17 00:00:00 2001
From: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
Date: Wed, 16 Jun 2021 11:47:47 +0200
Subject: [PATCH] fix(ajax): use 'same-origin' credentials (#42525)

---
 client/src/utils/ajax.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/src/utils/ajax.js b/client/src/utils/ajax.js
index 0845ba536a..927535f1bd 100644
--- a/client/src/utils/ajax.js
+++ b/client/src/utils/ajax.js
@@ -9,7 +9,7 @@ const tokens = new Tokens();
 
 // TODO: test on staging.  Do we need 'include' everywhere?
 const defaultOptions = {
-  credentials: environment === 'development' ? 'include' : 'same-site'
+  credentials: environment === 'development' ? 'include' : 'same-origin'
 };
 
 // _csrf is passed to the client as a cookie. Tokens are sent back to the server