5

So there is a lot of issues about this sameSite buisness, but I cannot find any answers when it comes to Laravel Websockets. There is nothing in their documentation about this.

So I thought I would ask here and see if you guys have any ideas.

Consider the following configuration:

import Echo from 'laravel-echo'

window.Pusher = require('pusher-js');

window.Echo = new Echo({
    broadcaster: 'pusher',
    key: process.env.MIX_PUSHER_APP_KEY,
    wsHost: window.location.hostname,
    wsPort: 6001,
    wssPort: 6001,
    disabledStats: true,
    encrypted: false,
    enabledTransports: ['ws', 'wss'],
    namespace: 'App',
    auth: {
      headers: {
        'X-CSRF-TOKEN': token.content
      }
    }
});

According to their docs, they use the pusher library - but there is no indication of it actually hitting pusher website. And I dont need any pusher credentials as those are all faked.

The issue is simple:

A cookie associated with a cross-site resource at http://support.pusher.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Which is all over stack overflow.

I disableSats and while yes the websockets do still run and work fine, eventually chrome will be like "nope". So I have no idea if this is a pusher issuer, the laravel websockets issue or what.

Does any one have any ideas on what I could do or attempt to do? I have tried setting forceTLS: true in the above config and that seems to work - but then web sockets won't connect.

I am worried that one day my app will just cease to work as we depend on websockets for a lot of functionality and this is one of the easiest and best libraries out there that do not require days of research and set up.

TheWebs
  • 12,470
  • 30
  • 107
  • 211
  • Can you try this in an Incognito session ensuring you do not visit any Pusher sites first? A cookie from `support.pusher.com` to me sounds like you may have visited the support forum in your browser and there's a cookie there that's still being sent with requests to any `pusher.com` domain. – rowan_m Jan 13 '20 at 12:30
  • Incognito mode doesn’t show the warning as stipulated I. The issue linked above. I deleted all cookies from the page, reloaded and still got the warning @rowan_m – TheWebs Jan 13 '20 at 16:33

1 Answers1

2

Firstly we have to understand workflow on this operation.

Here is example;

Your laravel backend
            ▼
[pub/sub service (can be redis pusher etc..)]
            ▼
laravel echo server
            ▼
websocket client ( mostly laravel echo client)

On client side

Websocket (mostly laravel echo client)
            ▼
Laravel echo server 
            ▼
http request to laravel backend

If you are trying to find trace from client side to pusher website this is not possible your client react with laravel echo server.

If you want to trace laravel echo server to pusher then you have to debug laravel echo server.

On your case, most likely pusher works fine (i been using their service for a while never seen a issue) if you want to debug that. You can use redis server and connect laravel echo to redis (and its works on your local network, way way faster then pusher)

I hope its helps.

Hasan Veli Soyalan
  • 2,428
  • 20
  • 24