SameSite Cookie Attribute Warning Isn't getting fixed

Question

I am using react.js, and I'm trying to integrate lucky orange into my web app. I added the code snippet in the head tag of the index.html file, but I get a warning saying:

A cookie associated with a cross-site resource at http://luckyorange.net/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.

I tried setting the cookie in the head of the index.html document like this:

document.cookie = 'same-site-cookie=foo; SameSite=Lax';
document.cookie = 'cross-site-cookie=bar; SameSite=None; Secure';

But I'm still getting that error. What am I doing wrong and how can I fix it?

Answer 1

Without the actual code you're using, I'm only guessing that the situation here… however, a couple things:

The warning in the console is for http://luckyorange.net which is not a domain that you manage. Instead, the Lucky Orange team is responsible for ensuring their cookies are set appropriately. Changes you make in your code will only affect cookies set for your domain.

You should check in with Lucky Orange via a support ticket or similar to ensure they are aware of these upcoming changes and have a plan in place.

At the moment, these warnings are purely informational - they will not affect your site's functionality. This will be the default behaviour as of Chrome 80, stable around Feb 2020.

You will need to ensure your inclusion of any Lucky Orange resources is via HTTPS though, as this is required by the SameSite=None; Secure setting.

There's more context and guidance on https://web.dev/samesite-cookie-recipes.