What to do with SameSite cookie warning

What to do with SameSite cookie warning

A quick investigation of SameSite cookie warning and what to do about it
Janna M

Intro

For quite a while Chrome has been displaying a warning in console "A cookie associated with a cross-site resource at http://ABCDEFG.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. "

Explanations were a bit confusing on what a site owner has to do to remedy this issue so I did my own investigation.

TL;DR;

- SameSite/Secure settings of the cookies is responsibility of the domain which sets those cookies, eg YouTube should update their own cookie settings

- Make sure your web application has a valid SSL certificate

- Unless your web applications collects data from 3rd party web sites, you don't have to do anything 

Investigation

There are quite a few blogs written about it*. But getting closer to Chrome 80 release date, there were more and more issues/questions created on what to do with SameSite/Secure cookie settings*. To test how your web application will behave with the new enforced cookie policy, you can enable SameSite settings in Chrome chrome://flags/. After Chrome restarts, delete all cookies and refresh your web application. You may see that 3rd party cookies have been blocked by the browser (instead of a warning that they will be blocked).

Functionality of the web applications (gmail or my own web application) does not seem to be affected. What may have be affected is collection of Google Analytics data or ads reporting. *If 3rd party app relies on that cookie then functionality might be affected. 

It's up to 3rd party providers to update their cookie settings. Cloudflare has already done so*, so it's up to Google to fix their cookies now.

Once all vendors update their cookie settings, your web application will have to have a valid SSL certificate to be able to accept 3rd party cookies.

* Resources

Blogs about SameSite cookie settings:

Issue queue:

 

 

 

 

Image
Image
chrome flags