Put_secure_browser_headers overly protective?

I just spent the better part of the day figuring out why my phoenix app could authenticate through Auth0 flawlessly via Chrome and gives a fatal error (invalid_token) via Safari.

Long story short, it turns out the ‘put_secure_browser_headers’ put so many blocks in place (and Safari supports these more than Chrome) that this was a server based problem masquerading as a client issue. I am still figuring out what valid values response headers are, but I don’t think security defaults should get in the way of functionality like that.

I would suggest to make these thing more explicit and/or optional. This has been quite a frustrating day.

Well it turns out I was premature in my conclusions, even after removing all the security headers the Safari errors remain. Even the people at Auth0 are stumped now, it looks like an issue that arises solely with Phoenix & Safari. Should anyone care, here’s the thread:

I hope someone recognises some of it, it has completely worn me out.