Amplitude-JavaScript icon indicating copy to clipboard operation
Amplitude-JavaScript copied to clipboard

Published 20 hours ago verified publisher icon amplitude

Same site attribute not used for test cookies

Open morus12 opened this issue 4 years ago • 6 comments

This warning shows up even with sameSite configured.

Cookie “amplitude_cookie_test” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

It's because the function areCookiesEnabled sets the cookies and is called before sameSite attribute is set. https://github.com/amplitude/Amplitude-JavaScript/blob/92829d1588db8eb01fcefa84ee8951ede3543459/src/metadata-storage.js#L12-L21

morus12 avatar Jun 18 '20 09:06 morus12

We are having the same issue. Console log is spammed with the missing sameSite warnings. On v7.1, areCookiesEnabled is to blame:

  • It tries to use Constants.COOKIE_TEST which is undefined (should be COOKIE_TEST_PREFIX)
  • it calls set with no options, so the sameSite warnings will be printed everytime.
const areCookiesEnabled = () => {
  const uid = String(new Date());
  try {
    const cookieName = Constants.COOKIE_TEST + base64Id();
    set(cookieName, uid, {});
    const _areCookiesEnabled = get(cookieName + '=') === uid;
    set(cookieName, null, {});
    return _areCookiesEnabled;
  } catch (e) {}
  return false;
};

gabberr avatar Jul 01 '20 12:07 gabberr

Any update on this issue? Do you have any plans to take care of it? We're receiving many complains from our customers about missing same site attr for cookies and Amplitude is the only thing left to fix it.

quarties avatar Sep 08 '20 17:09 quarties

Hi @quarties ! sorry for the lack of communication - we flagged this as an issue a few weeks back and are hoping to resolve this in the coming (~1 -2) weeks - we'll keep you posted!

kelvin-lu avatar Sep 08 '20 17:09 kelvin-lu

@kelvin-lu thanks a lot! I really appreciate your effort <3

quarties avatar Sep 09 '20 06:09 quarties

Hello, I'm still getting this warning on firefox (I see nothing in Chrome, but no amp_cookie_test is visible in the local storage, so perhaps the warning is just not visible ?)

Cookie “amp_cookie_testHrIiHKBjFaeV7QkRhp-S9k” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

I also see

Cookie “amplitude_test” has been rejected for invalid domain.

Though I see there was a fix in v.7.2.0, I've been using the 7.3.3 and still see the error.

eino avatar Nov 25 '20 10:11 eino

I'm seeing this as well on Firefox using 8.18.1. Any updates here? @kelvin-lu

ryanliszewski avatar Apr 25 '22 18:04 ryanliszewski