samesite-examples icon indicating copy to clipboard operation
samesite-examples copied to clipboard

Published 20 hours ago verified publisher icon GoogleChromeLabs

SameSite=None enabled but cookie not getting stored

Open venkat-vj opened this issue 5 years ago • 3 comments
trafficstars

For last couple of weeks users are not able to access my web application. My web application is embedded in another service providers page and is accessed via an iframe.

The problem is the cookie I set are not getting stored by Chrome even if I set them with "SameSite=None; Secure" attributes. Here is a screenshot:

Screen Shot 2020-03-28 at 11 01 19 AM

The warning icon to the right reads "The set-cookie was not stored due to user preferences".

Also, in DevTools this iframe web requests is flagged as requests having SameSite issues.

Can someone clarify?

venkat-vj avatar Mar 28 '20 05:03 venkat-vj

This sounds as if you might have "Block third-party cookies" enabled in the browser. You can check this in: Settings → Site Settings → Cookies and site data → Block third-party cookies Also available via: chrome://settings/content/cookies

You might also see some red sections on https://samesite-sandbox.glitch.me if you have this setting enabled. Screenshot from 2020-03-31 11-19-57

rowan-m avatar Mar 31 '20 10:03 rowan-m

Thanks a bunch for checking on this.

I had checked the chrome://settings/content/cookies and do not find any sites blocked.

But when adding my site domain to the "Allow" list, the cookies are getting stored and the page works as expected. But I am not sure if this is a practical solution as there are thousands of users who are using our application.

Here is the screenshot from https://samesite-sandbox.glitch.me

Screen Shot 2020-04-01 at 5 33 03 PM

I am unsure if this is actually an issue or not.

Also, I am using Brave and not the actual Chrome. In my local Chrome it works fine. Though users who are complaining are using Chrome.

Best

venkat-vj avatar Apr 01 '20 12:04 venkat-vj

As of 2024, Chrome has started a gradual blockage of 3rd party cookies. Cookies with sameSite=none; Secure and Partitioned attribute unset operating in cross-contexts are now counted as third party cookies and CHIPS, the Storage Access API, and Related Website Sets are the only ways to read and write cookies from cross-contexts.

This can be a real problem if your server is on a different domain than your websites.

I guess your best bet is to either set the Partitioned attribute to true, or proxy all your client requests to the same domain that your server resides in and skip CORS altogether.

okay-head avatar May 07 '24 06:05 okay-head