A cookie associated with a cross-site resource was set without the `SameSite` attribute

Hooman Bahreini picture Hooman Bahreini · Nov 13, 2019 · Viewed 24.3k times · Source

Chrome is giving me the following warning:

A cookie associated with a cross-site resource at http://quilljs.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.

Note that quilljs.com is a 3rd party domain.

I have seen these questions, the answers on both questions are similar, some say something like this:

nothing to do with your code. its something their web servers will have to support.

While others provide an answer like this:

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

I am not sure if this is something that I need to fix in my website, or is it something that should be fixed on the 3rd party library?

Answer

rowan_m picture rowan_m · Nov 14, 2019

The warning messages specifically call out the domain that's responsible for the cookie. In this case, it's quilljs.com. If that's your domain, then you need to update the cookie there. If it's a third-party service that you rely on, then it's that service that needs to update their cookies.

Edit More context is available at https://web.dev/samesite-cookies-explained and https://web.dev/samesite-cookie-recipes.