Im working on a chrome extension that doesn't set or read any cookies. It uses firebase and google analytics if that makes a difference.
I'm getting this warning in the background script console:
A cookie associated with a cross-site resource at
http://doubleclick.net/ was set without the SameSite attribute. A
future release of Chrome will only deliver cookies with cross-site
requests if they are set with SameSite=None and Secure. You can
review cookies in developer tools under Application>Storage>Cookies
and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
Anybody knows how to get rid of this warning or what could be the trigger?
Thanks a lot!
Since the last update, I'm having an error with cookies, related with SameSite attribute.
The cookies are from third party developers (Fontawesome, jQuery, Google Analytics, Google reCaptcha, Google Fonts, etc.)
The errors in the Chrome console are like this.
A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
Is there anything I need to do in my local machine or server or is just some feature they should implement in future releases of their libraries?
This console warning is not an error or an actual problem — Chrome is just spreading the word about this new standard to increase developer adoption.
It has nothing to do with your code. It is something their web servers will have to support.
Release date for a fix is February 4, 2020 per:
https://www.chromium.org/updates/same-site
February, 2020: Enforcement rollout for Chrome 80 Stable: The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17, 2020, excluding the US President’s Day holiday on Monday. We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts.
For the full Chrome release schedule, see here.
I solved same problem by adding in response header
response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
SameSite prevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are Lax or Strict.
SameSite cookies explained here
Please refer this before applying any option.
Update - June 2021
The chrome flag for #same-site-by-default is removed from the Chrome experiments panel as Chrome 91.
The flag is still available via the launch options until Chrome 94.
For macos the terminal command to launch with the flag is:
// Chrome
open -n -a Google\ Chrome --args --disable-features=SameSiteByDefaultCookies
// Chrome Canary
open -n -a Google\ Chrome\ Canary --args --disable-features=SameSiteByDefaultCookies
More info:
Mar 18, 2021: The flags #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure have been removed from chrome://flags as of Chrome 91, as the behavior is now enabled by default. In Chrome 94, the command-line flag --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure will be removed.
Source: Chromium SameSite Updates page.
Original Answer - March 2020
If you are testing on localhost and you have no control of the response headers, you can disable it with a chrome flag.
Visit the url and disable it: chrome://flags/#same-site-by-default-cookies
I need to disable it because Chrome Canary just started enforcing this rule as of approximately V 82.0.4078.2 and now it's not setting these cookies.
Note: I only turn this flag on in Chrome Canary that I use for development. It's best not to turn the flag on for everyday Chrome browsing for the same reasons that google is introducing it.
Fixed by adding crossorigin to the script tag.
From: https://code.jquery.com/
<script
src="https://code.jquery.com/jquery-3.4.1.min.js"
integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
crossorigin="anonymous"></script>
The integrity and crossorigin attributes are used for Subresource
Integrity (SRI) checking. This allows browsers to ensure that
resources hosted on third-party servers have not been tampered with.
Use of SRI is recommended as a best-practice, whenever libraries are
loaded from a third-party source. Read more at srihash.org
To elaborate on Rahul Mahadik's answer, this works for MVC5 C#.NET:
AllowSameSiteAttribute.cs
public class AllowSameSiteAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.RequestContext.HttpContext.Response;
if(response != null)
{
response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
//Add more headers...
}
base.OnActionExecuting(filterContext);
}
}
HomeController.cs
[AllowSameSite] //For the whole controller
public class UserController : Controller
{
}
or
public class UserController : Controller
{
[AllowSameSite] //For the method
public ActionResult Index()
{
return View();
}
}
I had to disable this in chrome://flags
When it comes to Google Analytics I found raik's answer at Secure Google tracking cookies very useful. It set secure and samesite to a value.
ga('create', 'UA-XXXXX-Y', {
cookieFlags: 'max-age=7200;secure;samesite=none'
});
Also more info in this blog post
I am attempting to follow the new guidelines for Cross Site Cookies and passing the SameSite=None; Secure attributes with cookies as I attempt to set them in browser Javascript code.
We are sending our SSO/Authorization javascript bundle from a separate host and domain that is supposed to set a cookie in the browser for storing the sessionToken. This cookie is then expected to be used on a browser refresh to maintain the users session.
Since updating to Chrome 80 the cookie is no longer saved in the browser due to the following error:
A cookie associated with a cross-site resource at <sso_domain> was set without the
`SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with
cross-site requests if they are set with `SameSite=None` and `Secure`. You can review
cookies in developer tools under Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
We are using js-cookie to set the cookie which uses the browsers document.cookie to actually create it: https://github.com/js-cookie/js-cookie/blob/master/src/api.mjs#L38
Initially we were not passing the SameSite attribute through the attributes param (we were passing Secure), but even after updating our call to js-cookie and seeing the appropriate stringifiedAttributes in Chrome Inspector (both Secure and SameSite=None):
SameSite cookie attribute in Chrome Inspector
I am still seeing the error in the chrome console:
error in console
Operating System: OSX
Chrome version: Version 80.0.3987.149 (Official Build) (64-bit)
I apologize if I'm repeating this question but I've spent over 6 days on this and I'm losing my mind. I can't seem to get that warning to disappear even though I've meticulously tried and retried to add these in my php index before the and tags. I've tried posts on
SameSite warning Chrome 77
to use
response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
as well as posts here
How to solve `SameSite` attribute
to use
header('Set-Cookie: cross-site-cookie=name; SameSite=None; Secure');
as well as the examples on here
https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md
and I'm still getting the warning even though everything else hasn't changed. Am I missing something or doing something wrong? Sorry, I suppose it shouldn't be a big deal but I'm so ocd over these warning messages and errors that's popping up I wish they would go away! Thx in advance.
-update- sorry the warning that pops up in console in question is this
A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
The warning is specifically for the cookie coming from "google.com" so you will not be able to affect it. If any of the console warnings refer to domains you control, then you should be following that advice to update your SameSite attributes.
It does mean that you will continue to see these warnings until the affected domains update their cookies, which should be happening over the coming months. The enforcement of this behaviour is not planned until Chrome 80, which will be stable in February. So, no actual site/service functionality should be affected in stable Chrome before then.
I have a URI here in which a simple document.cookie query through the console is resulting in three cookies being displayed. I verified this with trivial code such as the following as well:
var cookies = document.cookie.split(';');
console.log(cookies.length);
The variable cookies does indeed come out to the number 3. Web Developer on the other hand is indicating that a grand total of 8 cookies are in use.
I'm slightly confused to believe which is inaccurate. I believe the best solution might involve just reiterating the code above without the influence of Firebug. However, I was wondering if someone might suggest a more clever alternative to decipher which tool is giving me the inaccurate information.
One reason might be that the other 5 cookies are HTTPONLY:
http://msdn.microsoft.com/en-us/library/ms533046.aspx
If the HttpOnly attribute is included
in the response header, the cookie is
still sent when the user browses to a
Web site in the valid domain. The
cookie cannot be accessed through
script in Internet Explorer 6 SP1,
even by the Web site that set the
cookie in the first place. This means
that even if a cross-site scripting
bug exists, and the user is tricked
into clicking a link that exploits
this bug, Windows Internet Explorer
does not send the cookie to a third
party. The information is safe.
Firefox also respects this flag (as of v2.0.0.5).
I'm pretty sure the web developer toolbar shows cookies for domain and sub-domains.
So it will show cookies for
abc.xyz.com
xyz.com
whether you are on a page of either domain