Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

A cookie associated with a cross-site resource was set without the `SameSite` attribute

Chrome is giving me the following warning:

A cookie associated with a cross-site resource at http://quilljs.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.

Note that quilljs.com is a 3rd party domain.

I have seen these questions, the answers on both questions are similar, some say something like this:

nothing to do with your code. its something their web servers will have to support.

While others provide an answer like this:

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

I am not sure if this is something that I need to fix in my website, or is it something that should be fixed on the 3rd party library?

like image 817
Hooman Bahreini Avatar asked Nov 13 '19 04:11

Hooman Bahreini


People also ask

How do I fix the SameSite cookie problem?

Fixing common warnings The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.

What is cookie without SameSite attribute?

A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective countermeasure to cross-site request forgery, cross-site script inclusion, and timing attacks.

How do you set a cookie with SameSite attribute?

To prepare, Android allows native apps to set cookies directly through the CookieManager API. You must declare first party cookies as SameSite=Lax or SameSite=Strict , as appropriate. You must declare third party cookies as SameSite=None; Secure .

How do you resolve indicate to send a cookie in a cross-site request by specifying its SameSite attribute?

Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.


1 Answers

The warning messages specifically call out the domain that's responsible for the cookie. In this case, it's quilljs.com. If that's your domain, then you need to update the cookie there. If it's a third-party service that you rely on, then it's that service that needs to update their cookies.

Edit More context is available at https://web.dev/samesite-cookies-explained and https://web.dev/samesite-cookie-recipes.

like image 131
rowan_m Avatar answered Oct 04 '22 14:10

rowan_m