fix: Add SameSite=Lax to cookies for improved security (#23)

Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Closes #10

Author: kentcdodds

src/color-scheme.ts

@@ -21,7 +21,7 @@ export function subscribeToSchemeChange(
 	const schemaMatch = window.matchMedia('(prefers-color-scheme: dark)')
 	function handleThemeChange() {
 		const value = schemaMatch.matches ? 'dark' : 'light'
-		document.cookie = `${cookieName}=${value}; Max-Age=31536000; Path=/`
+		document.cookie = `${cookieName}=${value}; Max-Age=31536000; SameSite=Lax; Path=/`
 		subscriber(value)
 	}
 	schemaMatch.addEventListener('change', handleThemeChange)

src/index.ts

@@ -78,7 +78,7 @@ function checkClientHints() {
 		.join(',\n')}
 	];
 	for (const hint of hints) {
-		document.cookie = encodeURIComponent(hint.name) + '=' + encodeURIComponent(hint.actual) + '; Max-Age=31536000; path=/';
+		document.cookie = encodeURIComponent(hint.name) + '=' + encodeURIComponent(hint.actual) + '; Max-Age=31536000; SameSite=Lax; path=/';
 		if (decodeURIComponent(hint.value) !== hint.actual) {
 			cookieChanged = true;
 		}

src/reduced-motion.ts

@@ -21,7 +21,7 @@ export function subscribeToMotionChange(
 	const motionMatch = window.matchMedia('(prefers-reduced-motion: reduce)')
 	function handleMotionChange() {
 		const value = motionMatch.matches ? 'reduce' : 'no-preference'
-		document.cookie = `${cookieName}=${value}; Max-Age=31536000; Path=/`
+		document.cookie = `${cookieName}=${value}; Max-Age=31536000; SameSite=Lax; Path=/`
 		subscriber(value)
 	}
 	motionMatch.addEventListener('change', handleMotionChange)