
What to do with SameSite cookie warning
What to do with SameSite cookie warning
Intro
For quite a while Chrome has been displaying a warning in console "A cookie associated with a cross-site resource at http://ABCDEFG.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. "
Explanations were a bit confusing on what a site owner has to do to remedy this issue so I did my own investigation.
TL;DR;
- SameSite/Secure settings of the cookies is responsibility of the domain which sets those cookies, eg YouTube should update their own cookie settings
- Make sure your web application has a valid SSL certificate
- Unless your web applications collects data from 3rd party web sites, you don't have to do anything
Investigation
There are quite a few blogs written about it*. But getting closer to Chrome 80 release date, there were more and more issues/questions created on what to do with SameSite/Secure cookie settings*. To test how your web application will behave with the new enforced cookie policy, you can enable SameSite settings in Chrome chrome://flags/. After Chrome restarts, delete all cookies and refresh your web application. You may see that 3rd party cookies have been blocked by the browser (instead of a warning that they will be blocked).
Functionality of the web applications (gmail or my own web application) does not seem to be affected. What may have be affected is collection of Google Analytics data or ads reporting. *If 3rd party app relies on that cookie then functionality might be affected.
It's up to 3rd party providers to update their cookie settings. Cloudflare has already done so*, so it's up to Google to fix their cookies now.
Once all vendors update their cookie settings, your web application will have to have a valid SSL certificate to be able to accept 3rd party cookies.
* Resources
Blogs about SameSite cookie settings:
- https://digiday.com/media/what-is-chrome-samesite/
- https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
- https://web.dev/samesite-cookies-explained/
Issue queue:
- Solved by Cloudflare! https://community.cloudflare.com/t/google-chrome-warning-about-cloudflare-cookie/123192
- Responded by Google Tag Manager team: https://support.google.com/tagmanager/thread/23372963?hl=en
- https://www.drupal.org/search/site/SameSite
