Setting Google Tag Manager cookies with SameSite and Secure attributes

user3621633 picture user3621633 · Oct 11, 2019 · Viewed 11k times · Source

Chrome is reporting the following warning:

A cookie associated with a cross-site resource at https://www.googletagmanager.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I have two warnings of this type. The three cookies I see are gtm_auth, gtm_preview, and gtm_debug. All session cookies. I see gtm_auth is set with Secure attribute (SameSite attribute is empty). The other two cookies do not have either attribute set.

They are classified as analytical cookies, not marketing cookies, by the way.

Using Google Tag Manager, how do I set or modify these cookies? I'm not looking to update the cookies in my code. I imagine adding cookie attributes should be doable using Google Tag Manager. What is Google's stance on how to address this with Google Analytics and Google Tag Manager?

Answer

rowan_m picture rowan_m · Oct 15, 2019

For any of these warnings, if you are not responsible for the domain then you are not responsible for updating the cookies. The Google Tag Manager team will be responsible for updating the relevant code that sets the SameSite attributes for cookies from googletagmanager.com.

At this point, the warnings are purely informational and are not impacting functionality. Enforcing this behaviour in stable Chrome is not scheduled until M80, currently targeted for Feb 2020.