Chrome is reporting the following warning:
A cookie associated with a cross-site resource at https://www.googletagmanager.com/ was set without the
SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=None
andSecure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I have two warnings of this type. The three cookies I see are gtm_auth
, gtm_preview
, and gtm_debug
. All session cookies. I see gtm_auth
is set with Secure
attribute (SameSite
attribute is empty). The other two cookies do not have either attribute set.
They are classified as analytical cookies, not marketing cookies, by the way.
Using Google Tag Manager
, how do I set or modify these cookies? I'm not looking to update the cookies in my code. I imagine adding cookie attributes should be doable using Google Tag Manager
. What is Google's stance on how to address this with Google Analytics
and Google Tag Manager
?
To prepare, Android allows native apps to set cookies directly through the CookieManager API. You must declare first party cookies as SameSite=Lax or SameSite=Strict , as appropriate. You must declare third party cookies as SameSite=None; Secure .
To test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the "SameSite by default cookies" and "Cookies without SameSite must be secure" experiments.
Universal Analytics tags in Tag Manager can replace the name of the cookie with cookieName via a Google Analytics settings variable. In Tag Manager, open a Google Analytics settings variable and select Variable Configuration > More Settings > Fields to Set. When the Fields to Set section is expanded, click Add Row.
Enable the new SameSite behavior If you are running Chrome 91 or newer, you can skip to step 3.) Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.
For any of these warnings, if you are not responsible for the domain then you are not responsible for updating the cookies. The Google Tag Manager team will be responsible for updating the relevant code that sets the SameSite
attributes for cookies from googletagmanager.com
.
At this point, the warnings are purely informational and are not impacting functionality. Enforcing this behaviour in stable Chrome is not scheduled until M80, currently targeted for Feb 2020.
Chrome is already rolling out this change. You can set cookie flag in analytics.js or gtag.js for this to work, for example:
gtag('config', 'G-N2A3FMNDT5', {
cookie_flags: 'max-age=7200;secure;samesite=none'
});
For more information and background, see this blog post: The New cookieFlags Setting In Google Analytics
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With