SameSite cookie being blocked

Question

Quick overview: I open my website at domain1. Inside a page, I load an iframe with url http://domain2/...

I keep on getting this warning on chrome and it has affected my website:

A cookie associated with a cross-site resource at http://domain2 was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I never had to set cookies before so I'm unaware where the cookie should be set from. I've already tried setting proxy_cookie_path in my domain2 nginx config but it doesn't seem to work:

location / {
    proxy_cookie_path / "/; SameSite=None; Secure";
}

I also tried adding Set-Cookie header which also doesn't seem to work:

location / {
    ...
    add_header 'Set-Cookie' 'SameSite=None; Secure';
}

When I tried the second solution, it seems the the header was received from the response on chrome, but chrome gives the following warning:

Note that domain2 is our domain as well, and it has a python backend using Flask framework. So should I add the cookies from the python code or javascript frontend?

This is getting really frustrating.

Answer 1

Cross-Site Resource Sharing - CORS is a known issue when a request is sent through the same domain. You may try using already existing flask cors package to allow the same origin requests.

In addition, this question and answer seems relevant to yours.

Answer 2

I used this proxy_cookie_flags ~ secure samesite=none; in the blocks server { } and location { } and it worked.