SameSite = None, Secure = True for a local network

[hazymoon22]

trafficstars

My company has a chatbot which is embed in the company's websites through an iframe. These websites are only internal, which means they can only be accessed within the local network of the company, so there is no https protocol implemented.

If Secure=True has to come with SameSite=None, does that mean our chatbot can not work with cross domain cookies without implementing https protocol ? Is there any workaround for such situation ?

[rowan-m]

Short answer: yes, any cross-site cookies must be SameSite=None; Secure.

Options:

• Can you have your internal sites as subdomains? e.g http://app1.internal, http://app2.internal?
• Can you provision free certificates via https://letsencrypt.org/ ?
• Are your work machines using an enterprise managed version of Chrome? If so, you can apply policies to exempt certain sites from this behaviour. https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies
• You can disable this behaviour via the two flags chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure however this is not a permanent solution.