"SameSite=none" does not work with iframe

google-chrome cookies samesite

Mikolay Bet · Mar 18, 2020 · Viewed 14.6k times · Source

After upgrade to Chrome Version 80.0.3987.132 cookies are not sent to the iframe request. On the Network tab (Chrome Dev tools), I do not see cookies for my requests.

After turning on the option "show filtered out requests cookies" I sees my cookies marked "This cookies was not sent due to user preferences."

The header for the cookie set:

set-cookie: token=jf23HaUI91Bd8L1chHq; expires=Wed, 18-Mar-2020 16:01:59 GMT; Max-Age=1799; path=/; SameSite=None; secure; domain=.example-domain.com; HttpOnly

When I open an iframe on the same domain everything works fine, but if it is a third-party domain via http or https, cookies will not work.

Has anyone come across this or know how to fix it?

Answer

I think you should ensure that SameSite flag is always set to None for those cookies. If it's initially set to Lax, and then you try to make it None, it may not work.

Also, you should ensure that Secure flag is always set to true for SameSite=None cookies.

"SameSite=none" does not work with iframe

Answer

Related questions