New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warning in Chrome console: A cookie was set without the SameSite attribute. #14395
Comments
As far as I'm aware of every cookie that can be httponly is httponly. Can you show one that is not that way? |
What do you refer to here @neunzehnachtneun ? To the JS tracker? In JS you cannot set a cookie as httponly |
Thank you for answering! Yes, I refer to the JS-Tracker and, yes, you are totally right. I read a bit about javascript and cookies and it's totally useless to set the cookie header to httponly. But also I read about the cookie header 'samesite=strict', which is possible to use with javascript and which I would like to use with matomo. What do you think about that? |
While using (This does not mean I'm against it, but it might be a breaking change for some people.) |
You would also need to have matomo running on the very same domain? not even a subdomain? or would a subdomain still work? |
samesite is a origin related setting and should be used with caution. it would have effects on the tracked data and most certainly break the 3rd party cookie in in many use cases |
Seems like this is becoming far more important: Chrome is planning to make all cookies that don't have an explicit SameSite option have SameSite=Lax by default. At the moment it is an optional flag ( (Disclaimer: I haven't fully understood the topic and the explanations are all a bit vague, so this might be incorrect) Simply updating all cookies to add a SameSite=None flag won't help much as on one hand SameSite is a useful security feature as it makes CSRF attacks far harder and on the other hand there is a bug in all current Safari versions (iOS and MacOS) that causes them to interpret SameSite=None as SameSite=Strict which will break even more things. Another related change is that starting in chrome 80 all cookies with SameSite=None and without the More Details: |
When talking about the third party cookie (_pk_uid) and the opt out cookie, I guess the best setting for all setups with Matomo on its own (sub)domain is SameSite=None + secure. The Safari/iOS fix for SameSite=None will not be backported to iOS <13, so we should not write the SameSite attribute for ios and macos until most users are on a fixed version. This would mean that the third party feature and the opt-out iframe feature will require https. Which should not be an issue in 2019. If its possible an alternative solution for the opt out cookie on http should be implemented. |
We could possibly also detect some browsers and send different headers for them? But of course be hard to test and maintain it all etc. Might be worth for some very popular browsers/versions. |
Data from 20.09.2019 (https://david-smith.org/iosversionstats/) |
Proposed values for the SameSite flag: SameSite=None (but not for iOS or Safari on macOS):
SameSite=Lax
|
Proposed values for the secure flag:
|
@MichaelHeerklotz
|
it would be great to fix this in the next minor release eg. 3.12.1 as we're starting to get reports that people see a a warning in their Chrome developer console:
|
Not sure if this issue is maybe related? #15083 |
Simply here to comfirm @MichaelHeerklotz proposition for default as value as they are in accordance with Chrome DevTools warning: "A future release of Chrome will only deliver cookies with cross-site requests if they are set with |
This still seems to be an issue, unless I have misunderstood something. Getting
Could you advise on how best to proceed? |
@jackherizsmith can you maybe share with us on which page this is happening? Feel free to email us at support@matomo.cloud |
Note: More info why this should be fixed in a soon Matomo release below: #14395 (comment)
Hi together,
this is my first issue in this project, so hopefully I do it right.
I would like to request a new feature to improve privacy. At the moment it is possible yet to set the cookie lifetime to a shorter timespan and to set the cookie secure.
I suggest to also set the cookie attributes HttpOnly and SameSite=Strict, so privacy would be improved and cross site request attacks forgery could be prevented.
Thank you!
The text was updated successfully, but these errors were encountered: