From a197bee82bc8ee9d801d69993b06245d86710367 Mon Sep 17 00:00:00 2001
From: Jeff Bruemmer <jeff.bruemmer@gmail.com>
Date: Fri, 17 Nov 2023 12:11:44 -0500
Subject: [PATCH] docs - samesite (#35888)

---
 .../environment-variables.md                   |  6 +-----
 docs/embedding/interactive-embedding.md        | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/docs/configuring-metabase/environment-variables.md b/docs/configuring-metabase/environment-variables.md
index 9e204174565..129bd8b2dc1 100644
--- a/docs/configuring-metabase/environment-variables.md
+++ b/docs/configuring-metabase/environment-variables.md
@@ -1200,16 +1200,12 @@ Only available on Metabase [Pro](https://www.metabase.com/product/pro) and [Ente
 Type: string (`"none"`, `"lax"`, `"strict"`)<br>
 Default: `"lax"`
 
-When using interactive embedding, and the embedding website is hosted under a domain other than the one your Metabase instance is hosted under, you most likely need to set it to `"none"`.
-
-Setting the variable to `"none"` requires you to use HTTPS, otherwise browsers will reject the request.
+See [Embedding Metabase in a different domain](../embedding/interactive-embedding.md#embedding-metabase-in-a-different-domain).
 
 Related to [MB_EMBEDDING_APP_ORIGIN](#mb_embedding_app_origin). Read more about [interactive Embedding](../embedding/interactive-embedding.md).
 
 Learn more about SameSite cookies: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
 
-> WARNING: If you're NOT embedding Metabase and you set `MB_SESSION_COOKIE_SAMESITE` to "none", Chrome and Safari will reject authentication attempts.
-
 ### `MB_SESSION_COOKIES`
 
 Type: boolean<br>
diff --git a/docs/embedding/interactive-embedding.md b/docs/embedding/interactive-embedding.md
index af7e1e78e27..0a46c900968 100644
--- a/docs/embedding/interactive-embedding.md
+++ b/docs/embedding/interactive-embedding.md
@@ -105,15 +105,21 @@ Note that your interactive embed must be compatible with Safari to run on _any_
 
 > Skip this section if your Metabase and embedding app are already in the same top-level domain (TLD).
 
-If you want to embed Metabase in another domain (say, if Metabase is hosted at `metabase.yourcompany.com`, but you want to embed Metabase at `yourcompany.github.io`), you can set the following [environment variable](../configuring-metabase/environment-variables.md):
+If you want to embed Metabase in another domain (say, if Metabase is hosted at `metabase.yourcompany.com`, but you want to embed Metabase at `yourcompany.github.io`), you can tell Metabase to set the session cookie's SameSite value to "none". 
 
-```sh
-MB_SESSION_COOKIE_SAMESITE=None
-```
+You can set session cookie's SameSite value in **Admin settings** > **Embedding** > **Interactive embedding** > **SameSite cookie setting**. 
+
+SameSite values include:
+
+- **Lax** (default): Allows cookies to be sent when someone navigates to the origin site from an external site (like when following a link). 
+- **None**: Allows all cross-site requests. Incompatible with most Safari and iOS browsers, such as Chrome on iOS. If you set this environment variable to "None", you must use HTTPS in Metabase to prevent browsers from rejecting the request. 
+- **Strict** (not recommended): Never allows cookies to be sent on a cross-site request. Warning: this will prevent users from following external links to Metabase.
+
+You can also set the the [`MB_SESSION_COOKIE_SAMESITE` environment variable](../configuring-metabase/environment-variables.md#mb_session_cookie_samesite).
 
-If you set this environment variable to "None", you must use HTTPS in Metabase to prevent browsers from rejecting the request. For more information, see MDN's documentation on [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).
+If you're using Safari, you'll need to [allow cross-site tracking](https://support.apple.com/en-tj/guide/safari/sfri40732/mac). Depending on the browser, you may also run into issues when viewing emdedded items in private/incognito tabs.
 
-Note that `SameSite=None` is incompatible with most Safari and iOS browser versions (including any browser that runs on iOS, such as Chrome on iOS).
+Learn more about [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).
 
 ## Securing interactive embeds
 
-- 
GitLab