Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where to add `SameSite=None`?

I got the following code in happening on my site, and I tried my best cant grasp this, so I have a couple questions, please read.

category-search-Forum:1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I've seen many people speak about this, on stack and other online places, but none have explained exactly how to add SameSite=None.

1 QUESTION: how or where do you add the SameSite=None?

and looking at the error , what is and 'Secure'

does that mean SameSite=Secure?

What is the difference between SameSite=None and SameSite=Secure?

like image 761
Chaz Steiner Avatar asked Mar 23 '20 23:03

Chaz Steiner


People also ask

Where do I specify SameSite none?

Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.

How do I add SameSite none to Chrome?

Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.

Where are SameSite attributes set?

You can add SameSite cookie attributes in the set-cookie HTTP response header to restricts browser behavior. It may prevent the browser from sending the cookie's key=value pair based on the type of interaction that triggered the HTTP request.

Is it safe to set SameSite to none?

The none value won't give any kind of protection. The browser attaches the cookies in all cross-site browsing contexts. The default value of the SameSite attribute differs with each browser, therefore it is advised to explicitly set the value of the attribute.


1 Answers

As discussed here: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

This is actually a server side issue. All it is saying, is that you are using a resource from another site (most often JS or CSS) and that server is attempting to set a cookie; however, it does not have the SameSite attribute set.

This is being done due to:

Today, if a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of two settings (SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats such as Cross-Site Request Forgery attacks.

To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.

Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice. For example, browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites.

As your post doesn't define if you are working server side or client side, my assumption is you are working client side and as such, there isn't anything you can do about it as that resource needs to update it. HOWEVER, if you are doing server side dev, here is a list of resources for different languages: https://github.com/GoogleChromeLabs/samesite-examples

TLDR; If you are client side dev, then this is because a linked resource does not have this set and there is nothing you can do about it. If you are server side dev, checkout the github link for examples on how to fix this for your site.

Edit: If you just want to get rid of the message, the solution was discussed here: Chrome Console SameSite Cookie Attribute Warning where you can disable them through chrome://flags Cookie Deprecation messages disabled.

like image 83
Munsterlander Avatar answered Oct 13 '22 04:10

Munsterlander