javascript - Chrome is blocking third party cookies; asking me to set Same Site attribute = None and Secure, but does not specif

admin管理员组

文章数量:1302328

This is the message I am getting using a Leaflet.js heatmap, and I can't see my circle markers, and I believe this is most likely the issue.

Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery. Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use. Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests.

I am using Javascript, and the video from Chrome said to do:

Set-Cookie: cname=cvalue; SameSite = None; Secure

But where do I do this?

This is the message I am getting using a Leaflet.js heatmap, and I can't see my circle markers, and I believe this is most likely the issue.

Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery. Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use. Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests.

I am using Javascript, and the video from Chrome said to do:

Set-Cookie: cname=cvalue; SameSite = None; Secure

But where do I do this?

• javascript
• google-chrome
• cookies
• leaflet

Share Follow asked Feb 25, 2021 at 3:25 Ryan LindseyRyan Lindsey 12311 gold badge11 silver badge55 bronze badges 7

• 1 When you set cookies, you can set attributes that the browser will read, such as Expires or Max-Age (Cookie: a=b; Expires=Wed, 21 Oct 2021 07:28:00 GMT). Same-Site and Secure are such attributes. So if you're setting cookies, be that on the server-side or from JS, you'll have to add ; SameSite=None; Secure at the end. – Andreu Botella Commented Feb 25, 2021 at 3:29
• 1 So I put (Cookie: a=b; Expires=Wed, 21 Oct 2021 07:28:00 GMT; SameSite=None; Secure) at the top of my JS file? What specifically do I put? Sorry for my ignorance lol – Ryan Lindsey Commented Feb 25, 2021 at 3:36
• If you're using cookies, you must be either setting document.cookie on your javascript, or you must have some server-side code (PHP, Node.js, Flask, Django, etc) that adds a Set-Cookie header. The value of document.cookie or of the Set-Cookie header is what you have to change. – Andreu Botella Commented Feb 25, 2021 at 3:41
• I'm not using document.cookie, because I have no clue what that is. I'm sending http requests via MapBox API that are getting blocked, so assuming it would be document.cookie, which I have not specified in my JS document, what would I do? I need literal code haha – Ryan Lindsey Commented Feb 25, 2021 at 3:52
• This is probably not your fault, since that's something the MapBox API would have to change. The requirement for cookies to be marked either SameSite=None or Secure is a recent change in all browsers, needed because anything else would have a high risk of exposing your cookies (and so your login sessions) to someone who shouldn't have them. That said, make sure you're calling that API over HTTPS, rather than HTTP – Andreu Botella Commented Feb 25, 2021 at 3:57

 |  Show 2 more ments

1 Answer 1

Sorted by: Reset to default 0

// set cookie
app.get("/set-cookie", (req, res) => {
  res.header("Set-Cookie", `username="john doe"; Path=/; HttpOnly; Secure; SameSite=None;`);
  res.status(200).json({ message: "Cookie has been set" });
});

// clear cookie
app.get("/clear-cookie", (req, res) => {
  res.clearCookie("username");
  res.status(200).json({ message: "Cookie has been cleared" });
});

本文标签：