SyntaxFix

[javascript] SameSite warning Chrome 77

Since the last update, I'm having an error with cookies, related with SameSite attribute.

The cookies are from third party developers (Fontawesome, jQuery, Google Analytics, Google reCaptcha, Google Fonts, etc.)

The errors in the Chrome console are like this.

A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Is there anything I need to do in my local machine or server or is just some feature they should implement in future releases of their libraries?

This question is related to javascript google-chrome cookies samesite

The answer is

This console warning is not an error or an actual problem — Chrome is just spreading the word about this new standard to increase developer adoption.

It has nothing to do with your code. It is something their web servers will have to support.

Release date for a fix is February 4, 2020 per: https://www.chromium.org/updates/same-site

February, 2020: Enforcement rollout for Chrome 80 Stable: The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17, 2020, excluding the US President’s Day holiday on Monday. We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts.

For the full Chrome release schedule, see here.

I solved same problem by adding in response header

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

SameSite prevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are Lax or Strict.

SameSite cookies explained here

Please refer this before applying any option.

Hope this helps you.

If you are testing on localhost and you have no control of the response headers, you can disable it with a chrome flag.

Visit the url and disable it: chrome://flags/#same-site-by-default-cookies SameSite by default cookies screenshot

I need to disable it because Chrome Canary just started enforcing this rule as of approximately V 82.0.4078.2 and now it's not setting these cookies.

Note: I only turn this flag on in Chrome Canary that I use for development. It's best not to turn the flag on for everyday Chrome browsing for the same reasons that google is introducing it.

Fixed by adding crossorigin to the script tag.

From: https://code.jquery.com/

<script
  src="https://code.jquery.com/jquery-3.4.1.min.js"
  integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
  crossorigin="anonymous"></script>

The integrity and crossorigin attributes are used for Subresource Integrity (SRI) checking. This allows browsers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source. Read more at srihash.org

To elaborate on Rahul Mahadik's answer, this works for MVC5 C#.NET:

AllowSameSiteAttribute.cs

public class AllowSameSiteAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var response = filterContext.RequestContext.HttpContext.Response;

        if(response != null)
        {
            response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
            //Add more headers...
        }

        base.OnActionExecuting(filterContext);
    }
}

HomeController.cs

    [AllowSameSite] //For the whole controller
    public class UserController : Controller
    {
    }

or

    public class UserController : Controller
    {
        [AllowSameSite] //For the method
        public ActionResult Index()
        {
            return View();
        }
    }

I had to disable this in chrome://flags

enter image description here

When it comes to Google Analytics I found raik's answer at Secure Google tracking cookies very useful. It set secure and samesite to a value.

ga('create', 'UA-XXXXX-Y', {
    cookieFlags: 'max-age=7200;secure;samesite=none'
});

Also more info in this blog post

Source: Stackoverflow.com

Questions with javascript tag:

need to add a class to an element How to make a variable accessible outside a function? Hide Signs that Meteor.js was Used How to create a showdown.js markdown extension Please help me convert this script to a simple image slider Highlight Anchor Links when user manually scrolls? Summing radio input values How to execute an action before close metro app WinJS javascript, for loop defines a dynamic variable name Getting all files in directory with ajax Drag and drop menuitems Is it possible to execute multiple _addItem calls asynchronously using Google Analytics? DevTools failed to load SourceMap: Could not load content for chrome-extension TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string. Received type undefined raised when starting react app What does 'x packages are looking for funding' mean when running `npm install`? SyntaxError: Cannot use import statement outside a module SameSite warning Chrome 77 "Uncaught SyntaxError: Cannot use import statement outside a module" when importing ECMAScript 6 Why powershell does not run Angular commands? Typescript: No index signature with a parameter of type 'string' was found on type '{ "A": string; } Uncaught Invariant Violation: Too many re-renders. React limits the number of renders to prevent an infinite loop Push method in React Hooks (useState)? JS file gets a net::ERR_ABORTED 404 (Not Found) React Hooks useState() with Object useState set method not reflecting change immediately Can't perform a React state update on an unmounted component UnhandledPromiseRejectionWarning: This error originated either by throwing inside of an async function without a catch block Can I set state inside a useEffect hook internal/modules/cjs/loader.js:582 throw err How to post query parameters with Axios? How to use componentWillMount() in React Hooks? React Hook Warnings for async function in useEffect: useEffect function must return a cleanup function or nothing FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory in ionic 3 How can I force component to re-render with hooks in React? What is useState() in React? How to call loading function with React useEffect only once Objects are not valid as a React child. If you meant to render a collection of children, use an array instead How to reload current page? Center content vertically on Vuetify Getting all documents from one collection in Firestore ERROR Error: Uncaught (in promise), Cannot match any routes. URL Segment How can I add raw data body to an axios request? Sort Array of object by object field in Angular 6 Uncaught SyntaxError: Unexpected end of JSON input at JSON.parse (<anonymous>) Axios Delete request with body and headers? Enable CORS in fetch api Vue.js get selected option on @change Bootstrap 4 multiselect dropdown Cross-Origin Read Blocking (CORB) Angular 6: How to set response type as text while making http call

Questions with google-chrome tag:

SessionNotCreatedException: Message: session not created: This version of ChromeDriver only supports Chrome version 81 SameSite warning Chrome 77 What's the net::ERR_HTTP2_PROTOCOL_ERROR about? session not created: This version of ChromeDriver only supports Chrome version 74 error with ChromeDriver Chrome using Selenium Jupyter Notebook not saving: '_xsrf' argument missing from post How to fix 'Unchecked runtime.lastError: The message port closed before a response was received' chrome issue? Selenium: WebDriverException:Chrome failed to start: crashed as google-chrome is no longer running so ChromeDriver is assuming that Chrome has crashed WebDriverException: unknown error: DevToolsActivePort file doesn't exist while trying to initiate Chrome Browser How to make audio autoplay on chrome How to handle "Uncaught (in promise) DOMException: play() failed because the user didn't interact with the document first." on Desktop with Chrome 66? how to open Jupyter notebook in chrome on windows Access Control Origin Header error using Axios in React Web throwing error in Chrome Invalid self signed SSL cert - "Subject Alternative Name Missing" Chrome violation : [Violation] Handler took 83ms of runtime Getting Error "Form submission canceled because the form is not connected" Violation Long running JavaScript task took xx ms Which ChromeDriver version is compatible with which Chrome Browser version? In Chrome 55, prevent showing Download button for HTML 5 video Why does this "Slow network detected..." log appear in Chrome? A Parser-blocking, cross-origin script is invoked via document.write - how to circumvent it? Disable Chrome strict MIME type checking Cannot open local file - Chrome: Not allowed to load local resource Chrome dev tools fails to show response even the content returned has header Content-Type:text/html; charset=UTF-8 "Uncaught TypeError: a.indexOf is not a function" error when opening new foundation project Is there any way to debug chrome in any IOS device net::ERR_INSECURE_RESPONSE in Chrome How to change the locale in chrome browser What does ==$0 (double equals dollar zero) mean in Chrome Developer Tools? How to prevent "The play() request was interrupted by a call to pause()" error? Disable-web-security in Chrome 48+ When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? How to open a link in new tab (chrome) using Selenium WebDriver? How to open google chrome from terminal? HTML 5 Video "autoplay" not automatically starting in CHROME Chrome / Safari not filling 100% height of flex parent Chrome:The website uses HSTS. Network errors...this page will probably work later Can a website detect when you are using Selenium with chromedriver? What is the "Upgrade-Insecure-Requests" HTTP header? require is not defined? Node.js Where does Chrome store cookies? Chrome net::ERR_INCOMPLETE_CHUNKED_ENCODING error Understanding Chrome network log "Stalled" state Edit and replay XHR chrome/firefox etc? Force hide address bar in Chrome on Android Google Chrome forcing download of "f.txt" file SSL cert "err_cert_authority_invalid" on mobile chrome only Run chrome in fullscreen mode on Windows "Proxy server connection failed" in google chrome How do I execute .js files locally in my browser? Google Chrome: This setting is enforced by your administrator

Questions with cookies tag:

SameSite warning Chrome 77 How to fix "set SameSite cookie to none" warning? Set cookies for cross origin requests Make Axios send cookies in its requests automatically How can I set a cookie in react? Fetch API with Cookie How to use cookies in Python Requests How to set cookies in laravel 5 independently inside controller Where does Chrome store cookies? Sending cookies with postman Can I set the cookies to be used by a WKWebView? PHP - Session destroy after closing browser Display A Popup Only Once Per User Why is it common to put CSRF prevention tokens in cookies? How do I view cookies in Internet Explorer 11 using Developer Tools What is the difference between localStorage, sessionStorage, session and cookies? Using Cookie in Asp.Net Mvc 4 Share cookie between subdomain and domain jQuery $.cookie is not a function How does cookie based authentication work? Token Authentication vs. Cookies How can I send cookies using PHP curl in addition to CURLOPT_COOKIEFILE? How to set cookie value with AJAX request? How to set cookie in node js using express framework? Set a cookie to HttpOnly via Javascript Set cookie and get cookie with JavaScript Cross domain POST request is not sending cookie Ajax Jquery Can I limit the length of an array in JavaScript? javascript set cookie with expire time Check if Cookie Exists PHP Curl And Cookies CURL to access a page that requires a login from a different page Check if a PHP cookie exists and if not set its value Get cookie by name Chrome doesn't delete session cookies Delete cookie by name? Arrays in cookies PHP how to create a cookie and add to http response from inside my service layer? How to get the cookie value in asp.net website How to read a HttpOnly cookie using JavaScript How do I set path while saving a cookie value in JavaScript? How to update and delete a cookie? Send cookies with curl How to send cookies in a post request with the Python Requests library? What is the difference between server side cookie and client side cookie? How to set a cookie for another domain How to delete cookies on an ASP.NET website jQuery check if Cookie exists, if not create it What is the difference between Sessions and Cookies in PHP? Cookies vs. sessions

Questions with samesite tag:

SameSite warning Chrome 77

Tags

Xslt-tools Gwt-animation Mixer Mainscreen Horizontalscrollview Maping Vim-plugin Ld Memory-leaks Bduf Finddialog Perceptron Chilkat Scientific-software Qtablewidgetitem Wmi-query Timestamp Linq-to-mysql Iptables Bluecove Table-rename Paramarray Platform-specific Mnemonics Css-reset Ormlite Catamorphism Svnignore Show-sql Birt Microtime Subdomain-fu Game-ai Boost-program-options Iprincipal Servicedcomponent Method-invocation Neat Madcap Penetration-testing Wgs84 Geography Data-interchange Poppler Arabic Soffice Stretchdibits Icons Addeventlistener Glteximage2d Robot Google-fusion-tables Nsdate Episerver-6 Stochastic Texture-mapping High-availability Restlet Eigenvector Stx Maxrequestlength Mcisendstring Concurrentmodification Http-unit Asihttprequest J-integra System.reactive Reformat Polyglot Loc Labeling Table-relationships Memory-mapped-files Usergroups Gcc4 Jung Browser Jquery-tools Lifetime Predicates Mysql-insert-id Arrange-act-assert Facebook-like Async-safe Passwords Capability Multiprocessing Xml-builder Propertygrid Property-editor Wif Or-designer Mainwindow Http-status-code-403 Http-status-code-304 Modbus Waitforexit Gtd Processor Winlogon