googlechromelabs / samesite-examples Goto Github PK

Firefox (76.0.1) gives me this error
Cookie “rack.session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.
when I set up my config.ru with...

use Rack::Session::Cookie,
        :key          => 'rack.session', 
        :httponly     => true,
        :same_site    => :strict,
        :path         => '/',
        :expire_after => 86400,
        :secret       => ENV.fetch('SESSION_SECRET')

I'm not finding any substantive hits on a google search. Thanks for what you guys are doing!

A cookie associated with a cross-site resource at was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and

Example with the Django framework would be great.

There's a lot of talk about Google eliminating third party cookies in the future and I cannot get clarity despite reading a hundred blog posts by various people.

Can I get clarity to these questions please:

1. Is it true that by end of 2032 it will be impossible under any circumstances for third party cookies to be used?
2. Is it true that Google are only changing how they enforce and default the various types of cookie attributes?
3. Is it the case that a cookie created as SameSite=None and Secure, will always be sent irrespective of domain names?

My client's website is getting these SameSite cookie warnings in Chrome. The cookies are due to Google Ad Conversion Tracking on a Wordpress Site. The site is on a Apache/2.4.7 (Ubuntu) hosted by DreamHost running PHP 7.1, always running on https. To my .htaccess file, I've tried adding:

Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
and I tried

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
...and I tried

Header always edit Set-Cookie (.*) "$1; SameSite=None;Secure"
as well as many other combinations.

I've tried your code for PHP 7.2 and below as shown on this website:

header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');

Could we get some clarity on where this code should go? And perhaps a real working example? Does it go in an .htacesss file or in php.ini, or where in the php code should it be called? Also, it's not clear what should be used for the "name" in your example code, or if I even need to change that value, as the dev tools show over 10 cookie names associated with the google address.

Here's the warning I'm getting in the Chrome Console:

(index):1 A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

Hi Guys,

I am facing problem where in new google chrome version update 80+ causing website break where we are not able to maintain the cookies when we interacting with any thirdparty basically cross site origin.

Chrome mandate to add samesite= none: secure attribute to the cookie in order to allow any thirdparty cookie. We have update the same but not working and when we checked our angular js version and its 1.5+ and it is not supporting.

Updating to newer version of angular js that is 1.7 which supports sameSite attribute is challenges for us. so Please guide me is there any way we can achieve this in 1,5 version where we can continue work on getting the cross site origin cookie response.

I'm working on shopify extension on php codeigniter. 7.1 php version.
I'm receiving this error while i'm installing extension on shopify.
The app couldn’t be loaded
Then i add this code in the default controller:

header('Set-Cookie: same-site-cookie=foo; SameSite=Lax');
header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');

But still i'm receiving above error. Even the cookie was created as i check it on Application > Storage > Cookies.
Can anyone guide me that what is missing or why i'm still getting this error on chrome 80.
Thanks!

Could you let me know where, which file and exactly what syntax to write in order to fix the problem?

These are the errors: in firefox console

We are interacting with a payment gateway in our web application.
Due to the latest update in chrome we are unable to get the session cookie as response after successful payment.
Could you please guide us to find whether the samesite cookie attribute needs to be updated from our end or should the payment gateway needs to make the changes.

In our case Safari users are > 50% of all logins
And we use services like auth etc on standalone domain,
what the recommended way to not broke Safari users and Chrome?

Even Safari will fix the issue on upcoming Safari version, there will be a lot of users on IOS12-10 etc.

How to set SameSet=None, Strict for Ruby on Rails applications?

Hello team,

I used the given JS snippet to set a cookie with SameSite=None;

document.cookie = 'cross-site-cookie=bar; SameSite=None; Secure';

But I do not see "None" value in SameSite column in Chrome Dev Toolbar -> Application -> Cookies. Is it the desired behavior?
I can see "None" value in SameSite column in Chrome Dev Toolbar -> Application -> Cookies when I try to set a cookie from http-header in a response from a server.

How can I set Samasite=None for Weblogic application?

Quick summary: I have two domains. A returns sameSite=None Secure cookie on login, which grants access to /img. B has an img tag that tries to load the image from A. But cookies are not being sent from B to A!

Hi I've watched @hnasr video on sameSite cookies and I've been playing around today but I am more confused than confident in how cross site cookies work!

I am trying to achieve exactly what Hussein achieved in the video - he set the cookie from domainA as sameSite=none; secure and then the img would load on domainB with no issues, sending the cookies to gain access.

I don't understand how he has achieved this.

My domain A is https://express-cross-site-cookie.onrender.com - the same express server Hussein used!
My domain B is https://mok419.github.io - I can't seem to load the image from domain A here!!

My main issue is that when I use a normal img tag with only src=https://express-cross-site-cookie.onrender.com no cookies are sent. Then I tried adding crossOrigin="allowCredentials" and now I get back a CORs error.

Hussein didn't use any CORs on the server, so why is my browser expecting CORs setup. Has this been patched or something as I can't find much about anyone trying to load an image which relies on cookies. I read that it could be a Cloudflare cache issue, but bypassing cache with a URL parameter doesn't help!

Many thanks!!

Repo for domain A https://github.com/mok419/cross-site-cookies
Repo for domain B https://github.com/mok419/mok419.github.io

There is a cookie "PHPSESSID" that is auto generated. Lets assume that the cookie value is "123".
After some navigation to the website and adding a product to the cart, the products are stored in SESSION. There is a connection with a bank that will redirect the user to the bank website to make the payment and come back again to the website to finish the order. When the user will be redirected back to the website the "PHPSESSID" is changed and all the SESSION data has been removed. This is from the latest version of Chrome. I have tested it in incognito and didn't had the problem.

Using Chrome V79.0.3945.117

I have the experimental SameSite features enabled.

I'm maintaining an old Classic ASP (vbscript) website, and updated it to implement the recommended changes to cookies.

In the screenshot you can see the cookies are set correctly, but they're still being blocked.

Can anyone tell me why this may be happening?

How about a Java servlet example with different versions of the servlet API (some older ones don't support addCookie() with a SameSite attribute.

For last couple of weeks users are not able to access my web application. My web application is embedded in another service providers page and is accessed via an iframe.

The problem is the cookie I set are not getting stored by Chrome even if I set them with "SameSite=None; Secure" attributes. Here is a screenshot:

The warning icon to the right reads "The set-cookie was not stored due to user preferences".

Also, in DevTools this iframe web requests is flagged as requests having SameSite issues.

Can someone clarify?

My company has a chatbot which is embed in the company's websites through an iframe. These websites are only internal, which means they can only be accessed within the local network of the company, so there is no https protocol implemented.

If Secure=True has to come with SameSite=None, does that mean our chatbot can not work with cross domain cookies without implementing https protocol ? Is there any workaround for such situation ?

Can you update the document with compatible version for chrome, mozilla, opera, edge and safari.

There are third-party packages, such as delight-im/PHP-Cookie, which supports the SameSite attribute and the None value (since v3.2) on PHP 5.4.0+.

I have a google appengine application (A) which accesses some content from another google appengine app (B) in iframe. This feature was working for sometime now. Suddenly it stopped working after the browser update. In the Dev tools, I am getting "cookie blocked due to samesite attribute missing" message. But When i access the apps individually, it works fine. Also, i verified in dev tools that the cookie in both these apps has samesite attribute set to none and secure. I had surfed and read about this attribute and I believe setting of this attribute enhances security by blocking third party cookies access and chrome has made it mandatory (enforcing this). Hence, disabling this in chrome://flags is not an option I am considering, But i checked by doing this and it works. So why does chrome blocks the iframe content eventhough the cookie has samesite attribute none and secure. Since the server environment are of appengine (GCP) this case was supposed to be a single sign on use case as appengine uses gmail logins to authenticate. So all the cookies must have samesite attribute set to none and secure. But i am not understanding the logic behind blocking the third party cookie in iframe of app A.

Google chrome version : 83.0.4103.97 (Official Build) (64-bit)

i am looking to the Cookie API there is no setter for 'SetSite' also Tomcat 9.0.30 supports it but some of my application doesn't run on tomcat they on another servers. so i can resolve it in java.
i just found this example but i dont wanna do in this way

response.setHeader("Set-Cookie", "key=value; SameSite=none; Secure")

I am implementing samesite and came across a scenario, in my opinion, which does not behave as it should.

a.com

• form is posted to b.com with username/password

b.com

• receives the posted variables from a.com
• checks username/password
• if they are found to be valid creates session/cookies with samesite=strict then redirects to b.com/loggedin.php

In this example, the session and cookies, while created on b.com will not exist on b.com/loggedin.php. From my understanding, the samesite logic sees a.com as the top of the chain when it reaches b.com/loggedin.php and eliminates the session/cookies. The problem is they were created on b.com.

One could argue, 'but what if you created something harmful in your session/cookie on b.com because of what was posted from a.com?' Yeah, sure that is possible, but that would be due to poor coding on my part on b.com. I am trying to wrap my head around why they have chosen this route in the example. It is blocking what was CREATED ON the SAMESITE.

Chrome update has given me great trouble
So far, I still haven't found anyone's answer in Chrome 80 that correctly answers SameSite issuess.
Leave the following questions for me and us.

In my html page, there is only <iframe> provided by YouTube.
However, in Chrome, 'cross-site requests if they are set with SameSite = None and Secure' are displayed.

What should I do?

I only did YouTube iframe, what value should I send cookie value and session value?
I want a direct solution.

A fake method like 'cross-site-cookie = name' doesn't help me.
I need a direct way to experience.

I want about php version <7.3 and I want to solve the problem with php or javascript or .htaccess etc.

** If you use only <iframe> tag as well as YouTube, a danger sign is displayed unconditionally.
I don't know the value required by the external urls. What value should I send to the external urls as a session?

Hi @rowan-m ,
I'm using Chrome v62. I transformed my cookie attributes as below:

document.cookie = cname + "=" + cvalue
  + "; " + "expires=" + d.toUTCString()
  + "; path=/; sameSite=None; secure;";  
// where cname = cookie name,
// cvalue = cookie value,
// and d = expiry date epoch

As mentioned in the documentation of this feature, I was expecting the default behaviour of cookie being created but None attribute value not recognised. But, the cookie is not getting created altogether.
Can you please explain why?

P.S:
When i ran the same code with Chrome v76, the code is running fine. Cookie gets created as well as it recognises the None attribute and the secure flag.

The frontend of my website hosted on the surge.sh, which uses HTTP.
The backend of my website hosted on Heroku, which uses HTTPS.

The website was working fine a few months ago.

Now, the server could not read the cookie from the request anymore. By investigating, I believe the samesite and secure cookie policy disable this pattern.

Is this the issue? If yes, any workaround or recommendation?

We are running into an issue in the case of user-content domain protected by an BeyondCorp style authenticating proxy, and are hoping for some guidance in best practices in this type of (increasingly common) setup.

Consider a primary domain, foo.com, and a companion "user content" domain, foo-usercontent.com. The latter is used for arbitrary user content uploads and various static assets (CSS, JS, etc.), following web best practices.

Both domains are protected by a BeyondCorp style authenticating proxy, that uses JWTs for authentication of every request. The same JWT can be used for authenticating on either domain. The JWT is set without the SameSite directive.

Visiting foo.com issues an initial request that uses the cookie for foo.com in a first-party context, and returns content that must now be fetched from foo-usercontent.com.

Prior to Chrome v80, the Cookie with the JWT would be sent on requests to foo-usercontent.com, allowing them to be authenticated, and content fetched.

Post Chrome v80, we get the familiar message about the Cookie being blocked from being used. As a result, static content cannot be fetched from the foo-usercontent.com domain, as the request is treated as unauthenticated due to the missing JWT token. The pages do not render correctly, resulting in a confusing user experience. The obvious workaround is, most unfortunately, to disable the #same-site-by-default-cookies feature.

We asked the vendor of the authenticating proxy whether they would be willing to set SameSite=None on the cookie and allow it to be used in cross-site requests to the user-content domain. The answer was that there were no plans to change the behavior here.

The question(s):

Does the lack of SameSite directive, and the resultant interpretation of SameSite=Lax, make sense in a situation like this?

Would there be any valid argument, from security perspective, in setting SameSite=None for this authentication cookie, allowing the cookie to be sent on requests for foo-usercontent.com in a third-party context, as it was before.

Hi @rowan-m

I wrote this script in Chrome console (84.0.4147.105),

document.cookie="test=123"

and then checked Chrome Developper Tools,

but there are no Samesite attribute with "Lax".

[Question]
Not treat cookies as SameSite=Lax by default in "document.cookie" on Browser ?

According to the document, I had a different result in mind.

Treat cookies as SameSite=Lax by default if no SameSite attribute is specified.

https://www.chromestatus.com/feature/5088147346030592

If so, are there any official announcement about this case ?

How can I set Samesite=None for Java applications?

In your nodeJS example, you call response.cookie with the parameters 'foo' and 'bar'.

???