Find the cookie that causes Chrome's SameSite warning

Question

As some of you know, Chrome will start using a new SameSite cookie policy this month (https://web.dev/samesite-cookies-explained/ and https://www.chromium.org/updates/same-site).

We are using Auth0 for our App and have seen this SameCookie warning in Chrome's console since the end of last year:

Now since introduction of the new policy is getting closer, I tried to find the offending cookie using the Application view in Chrome's developer tools. This is what is shows:

As you can see, there is no entry for Secure or SameSize for any cookie.

So I enabled the new policy to see what will change. This can be done in chrome://flags

After these changes I see a message in the console, telling me that a cookie was blocked.

But the Application view in Chrome's developer tools shows exactly the same cookies as before.

Also, I went through each entry in the developer tools Network view. There is no Cookie tab for any of the entries.

This is very frustrating, as I do not know if thee blocked cookie is relevant for the functioning of our application.

Is there a way to find out which cookie was blocked? Can't Chrome just mention the cookie in the warning that it writes into the console?

Answer 1

We've put together a more in-depth debugging guide here: https://www.chromium.org/updates/same-site/test-debug

As a tl;dr

1. In the Network panel, select a request, go to the Cookies sub-tab, check the "show filtered out request cookies", and you can see each cookie along with the ones that were not included
2. Capture a NetLog dump from Chrome and you can examine this in detail for the specific blocking events.