fix: Allow loading attachments linked from other sites/emails.

Loosens same-site policy to include cookies for navigation events.
closes #4737

server/routes/auth/index.ts

@@ -34,7 +34,7 @@ router.get("/redirect", auth(), async (ctx: APIContext) => {
 
   ctx.cookies.set("accessToken", jwtToken, {
     httpOnly: false,
-    sameSite: true,
+    sameSite: "lax",
     expires: addMonths(new Date(), 3),
   });
   const [team, collection, view] = await Promise.all([

server/utils/authentication.ts

@@ -119,7 +119,7 @@ export async function signIn(
     }
   } else {
     ctx.cookies.set("accessToken", user.getJwtToken(), {
-      sameSite: true,
+      sameSite: "lax",
       httpOnly: false,
       expires,
     });