Where to add `SameSite=None`?
I got the following code in happening on my site, and I tried my best cant grasp this, so I have a couple questions, please read.
category-search-Forum:1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I've seen many people speak about this, on stack and other online places, but none have explained exactly how to add SameSite=None.
1 QUESTION: how or where do you add the SameSite=None?
and looking at the error , what is and 'Secure'
does that mean SameSite=Secure?
What is the difference between SameSite=None and SameSite=Secure?
Answer
As discussed here: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
This is actually a server side issue. All it is saying, is that you are using a resource from another site (most often JS or CSS) and that server is attempting to set a cookie; however, it does not have the SameSite attribute set.
This is being done due to:
Today, if a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of two settings (SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats such as Cross-Site Request Forgery attacks.
To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.
Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice. For example, browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites.
As your post doesn't define if you are working server side or client side, my assumption is you are working client side and as such, there isn't anything you can do about it as that resource needs to update it. HOWEVER, if you are doing server side dev, here is a list of resources for different languages: https://github.com/GoogleChromeLabs/samesite-examples
TLDR; If you are client side dev, then this is because a linked resource does not have this set and there is nothing you can do about it. If you are server side dev, checkout the github link for examples on how to fix this for your site.
Edit: If you just want to get rid of the message, the solution was discussed here: Chrome Console SameSite Cookie Attribute Warning where you can disable them through chrome://flags Cookie Deprecation messages disabled.