html

Cookies

SameSite attribute

At individual cookie level, server can specify SameSiteattribute:
strict user-agent should send the cookie only for same-site requests
̀lax user-agent should send the cookie for same-site and cross-site top level navigations
none user-agent should send the cookie for both same-site and cross-site requests (Secure should be True)

ajax requests are by definition not 'top level navigation' requests.

links: `<a>` vs `<span>`

With a SPA and hash routing, you can use <a> and its href attribute, it wouldn't trigger a page request.
With path routing, that is something you want to avoid. So there are 2 ways to create a link to navigate: <a> with preventDefault() or a clickable <span>.
There are pros & cons:
<a href="/" on:click={(e)=>go(e,'/user/register')}>Create account</a>
It is the natural way, but it would force to have a function, go(), to encapsulate preventDefaut() and redirection.
And Svelte preprocessor will complain if href="#"...

<span class="spnlnk font-weight-bold" on:click={()=>page.redirect("/user/register")} aria-hidden="true">Create account</span>
It has the advantage to avoid the browser status change (when mouse on:hover, a.href value is shown). There is no need to preventDefaul(). But we have to change cursor CSS property to 'pointer' (here with .spnlnk class), and define aria-hidden attribute.

html

Cookies

SameSite attribute

links: <a> vs <span>

links: `<a>` vs `<span>`