Chrome is reporting the following warning:
A cookie associated with a cross-site resource at https://www.googletagmanager.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I have two warnings of this type. The three cookies I see are gtm_auth, gtm_preview, and gtm_debug. All session cookies. I see gtm_auth is set with Secure attribute (SameSite attribute is empty). The other two cookies do not have either attribute set.
They are classified as analytical cookies, not marketing cookies, by the way.
Using Google Tag Manager, how do I set or modify these cookies? I'm not looking to update the cookies in my code. I imagine adding cookie attributes should be doable using Google Tag Manager. What is Google's stance on how to address this with Google Analytics and Google Tag Manager?
For any of these warnings, if you are not responsible for the domain then you are not responsible for updating the cookies. The Google Tag Manager team will be responsible for updating the relevant code that sets the SameSite attributes for cookies from googletagmanager.com.
At this point, the warnings are purely informational and are not impacting functionality. Enforcing this behaviour in stable Chrome is not scheduled until M80, currently targeted for Feb 2020.
Chrome is already rolling out this change. You can set cookie flag in analytics.js or gtag.js for this to work, for example:
gtag('config', 'G-N2A3FMNDT5', {
cookie_flags: 'max-age=7200;secure;samesite=none'
});
For more information and background, see this blog post: The New cookieFlags Setting In Google Analytics
Related
We are experiencing some strange behaviur on a landing page - tracking cookies that were set when user gave consent, are later being rejected when user refreshes the page (!?).
Steps:
(in Firefox / Firefox Dev Edition - because the warning is not visible in e.g. Chrome)
=> [url-removed]
=> "Accept all". At this stage you can see a "_mkto_trk" (Marketo Tracking) cookie via dev tools.
=> Go to the console tab in web dev tools and refresh the page.
Now you should be able to see a warning in the console log saying:
Cookie “_mkto_trk” has been rejected for invalid domain.
You can also see that the previous set _mkto_trk cookie is no longer set.
Expected Results
The expected result is for the cookie to persist after the page refreshes.
Regarding the warning
In the MDN Web Docs it says that:
The invalid cookie domain error is a WebDriver error that occurs when
an illegal attempt was made to set a cookie under a different domain
than that of the current document.
https://developer.mozilla.org/en-US/docs/Web/WebDriver/Errors/InvalidCookieDomain
The current document, the landing page in other words is on a subdomain: blog.example.com
But the cookie is set at ".example.com" which should make it valid for subdomains as well.
What have I tried?
Well I have been looking for answers in order to better understand where the issue is coming from, without any success.
Any help would be much appreciated, and thanks in advance!
P.S. This is my first post, so any hints/tips as to how to make this post better, would also be welcome.
Update
The problem was because of our cookie-script vendor and their trigger for google tag manager - the 'CookieScriptAcceptAll' trigger was not firing.
The solution was to:
scan the page for cookies (via cookie-script.com dashboard) which will populate the cookies categories array with cookie categories
and use the 'CookieScriptCategory-targeting' trigger instead (changes made via google tag manager dashboard).
Note the solution from above is for cases where you use google tag manager to add tags to your site.
Link to cookie-script documentation for info on triggers:
https://support.cookie-script.com/article/20-custom-events
In my project I use Google Login. This functionality stopped working few weeks ago. I run login with Google in iframe. It just closes the window and nothing happens. Inside dev tools there is the following warnings
A cookie associated with a cross-site resource at http://google.com/
was set without the SameSite attribute. It has been blocked, as
Chrome now only delivers cookies with cross-site requests if they are
set with SameSite=None and Secure. You can review cookies in
developer tools under Application>Storage>Cookies and see more details
at https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at https://google.com/
was set without the SameSite attribute. It has been blocked, as
Chrome now only delivers cookies with cross-site requests if they are
set with SameSite=None and Secure. You can review cookies in
developer tools under Application>Storage>Cookies and see more details
at https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at
https://accounts.google.com/ was set without the SameSite attribute.
It has been blocked, as Chrome now only delivers cookies with
cross-site requests if they are set with SameSite=None and Secure.
You can review cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
We have a pixel file just like google analytics, facebook pixel, hotjar pixel where we give to our customers and they it to their website. We then set some cookies on their website with our domain.
I read this article on SameSite cookies and I understand if I am the first party's developer I should use SameSite : Strict or Lax to not let third party like us read their secret cookies. But I can not find any resource for the third party developers who get and set read cookies on first party's website.
What should the third party developers use in SameSite cookie if they want to get and set only first party's cookies?
If I fully understand your question, there's a confusion : SameSite is not about sharing the cookie with someone else.
In any case, a cookie issued by SiteA will only be sent to SiteA.
What Google is going to add as a protection, is to distinguish between :
SiteA (= same site) request a ressource on SiteA (Cookie will be sent, whatever it's SameSite attribute value)
SiteB (= another site) request a ressource on SiteA (Cookie will be sent only if SameSite is Lax, or - in future versions of Chrome - Samesite=None;Secure)
So, if you provide a script to be included from another site, cookie must have a Samesite=Lax attribute.
It's the case for an analytics script, as it is (for example) for a CDN providing jQuery.
In our application, we use J2EE session variables for session management. We recently migrated from ColdFusion 9 to ColdFusion 2018. After migration, the logout functionality is not working. What we found is that, in ColdFusion 2018, the cookie JSESSIONID is not getting cleared from the browser because the HttpOnly flag has been set to true in the browser.
We tried to disable this HttpOnly flag in the browser in following ways,
By disabling HttpOnly flag and Global Script Protection in CF admin.
By modifying the jvm.config via CF admin by adding "-Dcoldfusion.sessioncookie.httponly=false".
But this way the HttpOnly flag is still showing as enabled in the browser. Because of this, the client-side script is not able to clear the cookie JSESSIONID and hence logout functionality is not working.
Is there any way, in CF2018, to disable the HttpOnly flag in the browser for the cookie JSESSIONID?.
Note:
In CF9, the HttpOnly flag is disabled in the browser for the cookie JSESSIONID.
We use the CF2018 enterprise edition (Trial Version, not yet expired).
Restarted CF services after updating the settings in CF admin.
You'll likely have to refactor your application to address a number of OWASP vulnerabilities that could not be handled by CF 9 out of the box. Depending on your audience, you should get a 3rd party to perform a security penetration test against your code base.
You're going to need to refactor your log out process. You shouldn't disable httpOnly on the jsessionid cookie, it's a prevention against Cross-Site Scripting attacks.
https://www.owasp.org/index.php/HttpOnly
According to the Microsoft Developer Network, HttpOnly is an
additional flag included in a Set-Cookie HTTP response header. Using
the HttpOnly flag when generating a cookie helps mitigate the risk of
client side script accessing the protected cookie (if the browser
supports it).
https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN
When using JEE session IDs, you need to add this to part of your logout process:
<cfset getPageContext().getSession().invalidate()>
Then redirect to another page like your login screen. This will delete the jsessionid cookie and actually invalidate the JEE session on the server.
I added a google reCaptcha script v2 to the login page of my app. It works alright but I get the following console warnings every time it initializes:
A cookie associated with a cross-site resource at http://google.com/
was set without the SameSite attribute. A future release of Chrome
will only deliver cookies with cross-site requests if they are set
with SameSite=None and Secure. You can review cookies in developer
tools under Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032
Seems like this reCapthca iframe is saving cookies but doing it the wrong way. Is anybody facing the same problem? Is there any way to affect this behavior and get rid of these console warnings?
Your question is related to this one: SameSite warning Chrome 77
Basically, it will be the libraries job to fix their cookies and the warning serves only has a warning.