SameSite warning Chrome 77

Question

Since the last update  I m having an error with cookies  related with SameSite attribute   The cookies are from third party developers  Fontawesome  jQuery  Google Analytics  Google reCaptcha  Google Fonts  etc    The errors in the Chrome console are like this   A cookie associated with a cross-site resource at  lt URL gt  was set without the  SameSite  attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with  SameSite None  and  Secure   You can review cookies in developer tools under Application gt Storage gt Cookies and see more details at  lt URL gt  and  lt URL gt    index  1 A cookie associated with a cross-site resource at http   jquery com  was set without the  SameSite  attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with  SameSite None  and  Secure   You can review cookies in developer tools under Application gt Storage gt Cookies and see more details at https   www chromestatus com feature 5088147346030592 and https   www chromestatus com feature 5633521622188032   index  1 A cookie associated with a cross-site resource at http   fontawesome com  was set without the  SameSite  attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with  SameSite None  and  Secure   You can review cookies in developer tools under Application gt Storage gt Cookies and see more details at https   www chromestatus com feature 5088147346030592 and https   www chromestatus com feature 5633521622188032   index  1 A cookie associated with a cross-site resource at http   google com  was set without the  SameSite  attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with  SameSite None  and  Secure   You can review cookies in developer tools under Application gt Storage gt Cookies and see more details at https   www chromestatus com feature 5088147346030592 and https   www chromestatus com feature 5633521622188032   index  1 A cookie associated with a cross-site resource at https   google com  was set without the  SameSite  attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with  SameSite None  and  Secure   You can review cookies in developer tools under Application gt Storage gt Cookies and see more details at https   www chromestatus com feature 5088147346030592 and https   www chromestatus com feature 5633521622188032   index  1 A cookie associated with a cross-site resource at https   www google com  was set without the  SameSite  attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with  SameSite None  and  Secure   You can review cookies in developer tools under Application gt Storage gt Cookies and see more details at https   www chromestatus com feature 5088147346030592 and https   www chromestatus com feature 5633521622188032   index  1 A cookie associated with a cross-site resource at http   www google com  was set without the  SameSite  attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with  SameSite None  and  Secure   You can review cookies in developer tools under Application gt Storage gt Cookies and see more details at https   www chromestatus com feature 5088147346030592 and https   www chromestatus com feature 5633521622188032   index  1 A cookie associated with a cross-site resource at http   gstatic com  was set without the  SameSite  attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with  SameSite None  and  Secure   You can review cookies in developer tools under Application gt Storage gt Cookies and see more details at https   www chromestatus com feature 5088147346030592 and https   www chromestatus com feature 5633521622188032    Is there anything I need to do in my local machine or server or is just some feature they should implement in future releases of their libraries

User · Answer

If you are testing on localhost and you have no control of the response headers, you can disable it with a chrome flag.

Visit the url and disable it: chrome://flags/#same-site-by-default-cookies

I need to disable it because Chrome Canary just started enforcing this rule as of approximately V 82.0.4078.2 and now it's not setting these cookies.

Note: I only turn this flag on in Chrome Canary that I use for development. It's best not to turn the flag on for everyday Chrome browsing for the same reasons that google is introducing it.

User · Answer

To elaborate on Rahul Mahadik s answer  this works for MVC5 C  NET   AllowSameSiteAttribute cs  public class AllowSameSiteAttribute   ActionFilterAttribute       public override void OnActionExecuting ActionExecutingContext filterContext                var response   filterContext RequestContext HttpContext Response           if response    null                        response AddHeader  Set-Cookie    HttpOnly Secure SameSite Strict                  Add more headers                       base OnActionExecuting filterContext             HomeController cs       AllowSameSite    For the whole controller     public class UserController   Controller               or      public class UserController   Controller                AllowSameSite    For the method         public ActionResult Index                         return View

User · Answer

I had to disable this in chrome   flags

User · Answer

This console warning is not an error or an actual problem     Chrome is just spreading the word about this new standard to increase developer adoption   It has nothing to do with your code  It is something their web servers will have to support   Release date for a fix is February 4  2020 per  https   www chromium org updates same-site  February  2020  Enforcement rollout for Chrome 80 Stable  The SameSite-by-default and SameSite None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17  2020  excluding the US President   s Day holiday on Monday  We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts    For the full Chrome release schedule  see here   I solved same problem by adding in response header  response setHeader  Set-Cookie    HttpOnly Secure SameSite Strict      SameSite prevents the browser from sending the cookie along with cross-site requests  The main goal is mitigating the risk of cross-origin information leakage  It also provides some protection against cross-site request forgery attacks  Possible values for the flag are Lax or Strict   SameSite cookies explained here  Please refer this before applying any option   Hope this helps you

User · Answer

Fixed by adding crossorigin to the script tag     From  https   code jquery com    lt script   src  https   code jquery com jquery-3 4 1 min js    integrity  sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo     crossorigin  anonymous  gt  lt  script gt       The integrity and crossorigin attributes are used for Subresource   Integrity  SRI  checking  This allows browsers to ensure that   resources hosted on third-party servers have not been tampered with    Use of SRI is recommended as a best-practice  whenever libraries are   loaded from a third-party source  Read more at srihash org

User · Answer

When it comes to Google Analytics I found raik s answer at Secure Google tracking cookies very useful  It set secure and samesite to a value  ga  create    UA-XXXXX-Y         cookieFlags   max-age 7200 secure samesite none       Also more info in this blog post

[javascript] SameSite warning Chrome 77

Examples related to javascript

Examples related to google-chrome

Examples related to cookies

Examples related to samesite