SameSite warning Chrome 77

Question

Since the last update, I'm having an error with cookies, related with SameSite attribute.

The cookies are from third party developers (Fontawesome, jQuery, Google Analytics, Google reCaptcha, Google Fonts, etc.)

The errors in the Chrome console are like this.

A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Is there anything I need to do in my local machine or server or is just some feature they should implement in future releases of their libraries?

nothing to do with your code. its something their web servers will have to support. — Daniel A. White, Oct 07 '19 at 13:39
I have the same problem, does this mean we can't use third-party websites in our code? — Love2Code, Oct 07 '19 at 19:45
You can use the libraries without any problem. It is just a warning the console will throw until they implement that in their servers as @DanielA.White said before. — peiblox, Oct 09 '19 at 07:14
And what exactly happens if the 3rd party does not fix their cookies by the date that `A future release of Chrome will only deliver ... ` - will my site break? Looks like that future date is 02/04/2020 - not too far away. — JK., Nov 26 '19 at 21:24
I am getting this warning on a local development server in a page that does not use any Google APIs, yet the warning specifically mentions `gstatic.com`. So weird. — corwin.amber, Jan 11 '20 at 12:17
As mentioned by @DanielA.White, this needs to be fixed at the third party code, see [this answer](https://stackoverflow.com/questions/58830297/a-cookie-associated-with-a-cross-site-resource-was-set-without-the-samesite-at/58847557#58847557) for more context. — Hooman Bahreini, Jan 16 '20 at 21:30
Strange though that _Google_ Chrome is referring to functionality that another _Google_ service -- Google Charts in my case, retrieved from `gstatic.com` in the OP -- needs to change in order to comply. You'd guess that the team for Google Chrome communicates with the team for Google Charts. :-) — Jochem Schulenklopper, Jul 28 '20 at 13:17
@JK This has happened for instance in the Danish governmental job search site jobnet.dk It does not work in Chrome anymore, if logging in via the public SingleSiteLogin nemid — Leif Neland, Nov 30 '20 at 21:07

score 183 · Accepted Answer · edited Dec 23 '22 at 09:02

183

This console warning is not an error or an actual problem — Chrome is just spreading the word about this new standard to increase developer adoption.

It has nothing to do with your code. It is something their web servers will have to support.

Release date for a fix is February 4, 2020 per: https://www.chromium.org/updates/same-site

February, 2020: Enforcement rollout for Chrome 80 Stable: The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17, 2020, excluding the US President’s Day holiday on Monday. We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts.

For the full Chrome release schedule, see here.

I solved same problem by adding in response header

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

SameSite prevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are Lax or Strict.

SameSite cookies explained here

Please refer this before applying any option.

edited Dec 23 '22 at 09:02

starball

20,030
7
43
238

answered Oct 10 '19 at 10:13

Rahul Mahadik

11,668
6
41
54

44

Have you done any research on how this could be handled when pulling in 3rd party scripts that set cookies (like Google Analytics and Google Tag Manager)? – BRass Oct 14 '19 at 19:47
2

If perchance you're using .NET, appending the web.config or adding URL ReWrite rules in IIS would address this issue. Credit goes to the solution at https://stackoverflow.com/questions/38954821/preventing-csrf-with-the-same-site-cookie-attribute – BDarley Oct 25 '19 at 14:10
3

Is there a solution that does not involve JavaScript? – posfan12 Oct 27 '19 at 11:50
@BRass I'm loading Google Map tile layer in my application as a 3rd party script/URL. I have not done any research with other 3rd party scripts. – Rahul Mahadik Oct 30 '19 at 09:04
@KrisWen As i am using this solution in my Grails 3 project, i have added this solution in Grails 3 interceptors (as a replacement to filters) – Rahul Mahadik Oct 30 '19 at 09:07
@posfan12 I have not resolved it by using JavaScript. I have added in interceptors – Rahul Mahadik Oct 30 '19 at 09:09
1

@BRass Wondering if you found any solution to this issue. I'm also facing this issue with third party bundles and theres no way for us to add the header to their responses. – AzureWorld Dec 09 '19 at 19:46
No, I believe that any third-party cookies will require the third-party to adjust how they set their cookies. I have personally seen some improvements from some vendors since October already. – BRass Dec 09 '19 at 19:49
43

I must say that a friendly warning really triggers the OCD of many developers like me. My frustration at the dirty console raises considerably when I see YouTube, a Google property, an offender generating console errors in Google Chrome.. This is the way, I have spoken. – Marc Jan 06 '20 at 05:22
3

Any ideas why a simple request of an image would trigger this error? Even when the image request does not involve creating/reading a cookie, and the image domain URL does not match the cookie URL reported by the Chrome console warning message? – andreszs Feb 20 '20 at 14:14
1

For PHP you have to add the "samesite" attribute with `setcookie()`. See details here: https://stackoverflow.com/a/51128675/1066234 - Note: Check your PHP files where `setcookie()` is called and fix it accordingly. – Avatar Mar 24 '20 at 09:11
2

If you're using Chrome Dev Tools and you don't want to see a dirtied-up console because of third-party warnings, you can check the Selected Context Only box in the Console. https://developers.google.com/web/tools/chrome-devtools/console/reference#filtercontext – doubledherin Apr 22 '20 at 10:21
1

The Chromium blog announced that the Same Site cookie rollout is being temporarily rolled back due to COVID-19. The February 2020 date, while accurate at one point, is no longer accurate. https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html – HPierce May 27 '20 at 02:23
I have the same question as @andreszs. I have a "parent" website that we hotlink images to in a `fetch()` request and I'm getting this silly error. That parent website is a CakePHP framework application. – Vael Victus Jul 27 '20 at 17:58
I'm on the way to implement a Tweet (Twitter) and Like- / Share- button (Facebook) and have the same warnings (not only in GC, also in FF). The interfaces (NOT my) code generate the cross site issues. What I don't understand: I think Twitter and Facebook need the cookies to work correct on THEIR sites. So... If I would be able (with a not nice "hack") to prevent this cookies, I assume, the interfaces will not work correct anymore?!? Can someone explain this, please? – FredyWenger Aug 05 '20 at 15:30

Will · Answer 2 · 2021-06-16T22:53:31.580

Update - June 2021

The chrome flag for #same-site-by-default is removed from the Chrome experiments panel as Chrome 91.

The flag is still available via the launch options until Chrome 94.

For macos the terminal command to launch with the flag is:

// Chrome
open -n -a Google\ Chrome --args --disable-features=SameSiteByDefaultCookies

// Chrome Canary
open -n -a Google\ Chrome\ Canary --args --disable-features=SameSiteByDefaultCookies

More info:

Mar 18, 2021: The flags #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure have been removed from chrome://flags as of Chrome 91, as the behavior is now enabled by default. In Chrome 94, the command-line flag --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure will be removed. Source: Chromium SameSite Updates page.

Original Answer - March 2020

If you are testing on localhost and you have no control of the response headers, you can disable it with a chrome flag.

Visit the url and disable it: chrome://flags/#same-site-by-default-cookies

I need to disable it because Chrome Canary just started enforcing this rule as of approximately V 82.0.4078.2 and now it's not setting these cookies.

Note: I only turn this flag on in Chrome Canary that I use for development. It's best not to turn the flag on for everyday Chrome browsing for the same reasons that google is introducing it.

Disabling this flag and relaunching canary did not work for me, so I just added `-SameSite` to the main "Filter" box, which I also used to remove this annoying sourcemap issue => https://superuser.com/questions/1523427/google-chrome-devtools-failed-to-parse-sourcemap-chrome-extension — Andrew, Mar 28 '20 at 04:53

score 14 · Answer 3 · answered Apr 04 '20 at 09:06

14

Fixed by adding crossorigin to the script tag.

From: https://code.jquery.com/

<script
  src="https://code.jquery.com/jquery-3.4.1.min.js"
  integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
  crossorigin="anonymous"></script>

The integrity and crossorigin attributes are used for Subresource Integrity (SRI) checking. This allows browsers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source. Read more at srihash.org

answered Apr 04 '20 at 09:06

John Magnolia

16,769
36
159
270

http://srihash.org/ says Unfortunately we do not know this domain. – Vlad Apr 22 '20 at 09:09
Where do i find the script tag? Is it in the web.config? – CarlD Apr 28 '20 at 12:51
1

@CarlD from the error message find which script is causing the error then view the html source of the webpage – John Magnolia Apr 30 '20 at 11:10
2

@JohnMagnolia I just did and nothing happened. – CarlD Apr 30 '20 at 19:18
Will it work if I simply add this to the head tag of my website? – Manthan_Admane Jul 15 '20 at 22:21

score 9 · Answer 4 · edited Jan 29 '20 at 16:48

To elaborate on Rahul Mahadik's answer, this works for MVC5 C#.NET:

AllowSameSiteAttribute.cs

public class AllowSameSiteAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var response = filterContext.RequestContext.HttpContext.Response;

        if(response != null)
        {
            response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
            //Add more headers...
        }

        base.OnActionExecuting(filterContext);
    }
}

HomeController.cs

    [AllowSameSite] //For the whole controller
    public class UserController : Controller
    {
    }

or

    public class UserController : Controller
    {
        [AllowSameSite] //For the method
        public ActionResult Index()
        {
            return View();
        }
    }

score 1 · Answer 5 · answered Jun 11 '20 at 23:59

1

I had to disable this in chrome://flags

answered Jun 11 '20 at 23:59

fozuse

754
2
11
29

6

Don't do that. It's just a hack and not a solution. Plus you are playing with experimental features of chrome – Andrius Jul 02 '20 at 06:19

Erik Melkersson · Answer 6 · 2021-02-16T12:49:19.293

1

When it comes to Google Analytics I found raik's answer at Secure Google tracking cookies very useful. It set secure and samesite to a value.

ga('create', 'UA-XXXXX-Y', {
    cookieFlags: 'max-age=7200;secure;samesite=none'
});

Also more info in this blog post

edited Feb 16 '21 at 12:49

answered Feb 16 '21 at 12:41

Erik Melkersson

899
8
19

SameSite warning Chrome 77

6 Answers6

Linked

Related