0

finally, got my webpage broken after I receive a message about the cookie cross-site resource:

A cookie associated with a cross-site resource at http://google.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

EDIT: About my WebPage: It is a page, that I have on my localhost that displays videos from "https://www.googleapis.com/youtube/v3"

Of course I searched the internet for a solution and there is one (or even more) like here: How to solve `SameSite` attribute

And also an answer including my searched Javascript solution: https://github.com/GoogleChromeLabs/samesite-examples/blob/master/javascript.md

Calls to document.cookie continue to work as they have before. You can provide the SameSite attribute as part of the assigned string.

// Set a same-site cookie for first-party contexts
document.cookie = 'cookie1=value1; SameSite=Lax';
// Set a cross-site cookie for third-party contexts
document.cookie = 'cookie2=value2; SameSite=None; Secure';

but I fail to implement it. Where should I write this in? In the chrome console? And when yes, then to which cookie? All I got, is the following:

Warning about SameSite issue.

Only one cookie.

But when I look at the "Application" bar in chrome, then at the dropdown menu of cookies I see a lot of them:

A lot of cookies

Also, when I look at the "issues" bar in Chrome I see the affected cookies and request (which is, of course <iframe>):

enter image description here

but don't know, how to handle this.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Dariusz Legizynski
  • 362
  • 5
  • 22
  • 1
    What are you actually trying to achieve, what cookie do you want to set, from where, from what domain, in what iframe, where is the website with the iframe hosted, where do you want to read that cookie from, a different domain? – luk2302 Aug 20 '20 at 07:34
  • Well, I try to get my page running again. To achieve this, I think, that I need to fix the warning, that I posted above (about the cross-site cookies). I do not know, which cookies are affected, but have a feeling, that it could the cookies, shown at pic 3. Also added an EDIT to better explain my situation. Thanks for the comment. – Dariusz Legizynski Aug 20 '20 at 07:47
  • 1
    The error message tells you which site those cookies are associated with. It isn't one you control. – Quentin Aug 20 '20 at 08:07
  • 1
    The change implies that if you want to open a site by Google that relies on cookies inside an iframe you need Google's collaboration. The change is meant to prevent malicious sites from doing that in order to steal user data. – Álvaro González Aug 20 '20 at 08:26
  • If I need Google's collaboration on iframe, than how can I achieve this from my side? Should I write in the ? – Dariusz Legizynski Aug 20 '20 at 08:33
  • 1
    It wouldn't be Google's collaboration if it could be done without Google's intervention. It's like, how do I let a delivery man into my house? I open the door for him. He can't get in alone. – Álvaro González Aug 20 '20 at 08:40
  • Thanks a lot for the explanation. I understand that part, but thanks to your answer I found the thread on SO with my issue: https://stackoverflow.com/questions/58724549/google-sign-in-api-platform-js-setting-cookies-without-samesite-attribute And also here https://stackoverflow.com/questions/58211114/how-to-solve-samesite-attribute?noredirect=1&lq=1 So the only thing left to do is to wait? – Dariusz Legizynski Aug 20 '20 at 09:23
  • 1
    My comments explain the issue in generic terms, now you need to do something specific to your use case. You're embedding YouTube videos: perhaps you aren't doing it in a supported way and you need to switch to the properly documented mechanisms, perhaps it's a formerly supported way that has been deprecated... I don't know. – Álvaro González Aug 20 '20 at 15:21

0 Answers0