403 Forbidden Attempting to use a *one*-time login secret 2 times

(as per the discussion in the private topic ...)

So this is apparently a change in Chrome the last few days, which causes problems with blog comments & Single Sign-On:

Chrome now thinks a domain comments-for-some-website-com.talkyard.net is too similar to the domain some.website.com,
so if the browser goes to comments-for-..., then Chrome shows a warning that maybe one intended to visit some.website.address.com (but not comments-for-...).

And when Chrome does this, it first loads the comments-for-... page once — thereby using up a oneTimeSecret=... in the URL.
And after the user has clicked buttons in Chrome to proceed to comments-for ..., then, Talkyard replies Single Sign-On error, because the oneTimeSecret cannot be used twice.

Maybe comments-for-... URLs will have to be changed to something else, so Chrome stops showing these warnings.

Seems there's a 2nd problem too: Chrome recently activated the SameSite cookie policy, in the same browser upgrade I suppose.

I think this change in Chrome breaks Single Sign-On when combined with blog comments. (Otherwise, with no SSO, Talkayrd fallbacks to session id in HTTP headers instead.)

So for now I'll need to ... add a config value so you can enable SameSite: None.

SameSite Updates
...
Last updated August 11, 2020.
...
For the full Chrome release schedule, see here. For the SameSite-by-default and SameSite=None-requires-Secure launch timeline, see below:
...
July 28, 2020: The rollout population has been increased to target a fraction of the overall Chrome 80+ stable population. We are monitoring metrics and ecosystem feedback on our tracking bug.
Aug 11, 2020: The target rollout population has been increased to 100% of users on Chrome Stable versions 80 and above, and the actual proportion of users with the new behavior enabled is now ramping up to 100% gradually. Users will receive the new behavior when they restart Chrome.