20

Chrome is reporting the following warning:

A cookie associated with a cross-site resource at https://www.googletagmanager.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I have two warnings of this type. The three cookies I see are gtm_auth, gtm_preview, and gtm_debug. All session cookies. I see gtm_auth is set with Secure attribute (SameSite attribute is empty). The other two cookies do not have either attribute set.

They are classified as analytical cookies, not marketing cookies, by the way.

Using Google Tag Manager, how do I set or modify these cookies? I'm not looking to update the cookies in my code. I imagine adding cookie attributes should be doable using Google Tag Manager. What is Google's stance on how to address this with Google Analytics and Google Tag Manager?

user3621633
  • 1,681
  • 3
  • 32
  • 46

2 Answers2

16

For any of these warnings, if you are not responsible for the domain then you are not responsible for updating the cookies. The Google Tag Manager team will be responsible for updating the relevant code that sets the SameSite attributes for cookies from googletagmanager.com.

At this point, the warnings are purely informational and are not impacting functionality. Enforcing this behaviour in stable Chrome is not scheduled until M80, currently targeted for Feb 2020.

rowan_m
  • 2,893
  • 15
  • 18
  • Thank you. You're correct. I see it's the GTM code which sets these cookies and I have no control over them. In fact, from my trace, I see they're initially set to empty strings by Google's code. It's not up to me to fix. It's up to the GTM/GA folks to ensure their code is in-line with the Google Chrome changes. – user3621633 Oct 20 '19 at 00:06
  • 2
    Still, it would be nice if the warning would be more targeted. Maybe the Chrome team could exclude domains like tagmanager.com that Google itself controls so that the console is not spammed like this. It is spreading the word at the cost of many developer hours for people trying to fix their websites when in fact, they can not. – Stijn de Witt Oct 21 '19 at 18:12
  • We are looking at options here, though an important thing for us as Chrome is that we don't want to treat Google properties as any kind of special case. The way to to reduce these warnings is for the Google services to fix their cookies, which they are planning on. However, I do appreciate it's a challenge to pull out the cookies that are just related to your domains. – rowan_m Nov 21 '19 at 21:15
  • This warning is not informational anymore, Chrome now blocks it. – chhantyal Mar 25 '20 at 16:05
  • The change is in the process of rolling out at the time of writing. Some browsers will block and some will not. You can see what behaviour your browser has at https://samesite-sandbox.glitch.me. – rowan_m Mar 25 '20 at 18:46
11

Chrome is already rolling out this change. You can set cookie flag in analytics.js or gtag.js for this to work, for example:

gtag('config', 'G-N2A3FMNDT5', {
  cookie_flags: 'max-age=7200;secure;samesite=none'
});

For more information and background, see this blog post: The New cookieFlags Setting In Google Analytics

damon
  • 14,485
  • 14
  • 56
  • 75
chhantyal
  • 11,874
  • 7
  • 51
  • 77