@MichaelHeerklotz opened this Issue on March 5th 2020 Contributor

A colleague just informed me that it is currently impossible to enable the "secure" flag for the 3rd party cookie.
This triggers a warning in browsers, because it is set to SameSite=None but not secure.

@ggr-mtm commented on March 5th 2020

Moreover there'is a problem with Iframe using samesite=lax.
It will be appreciate to have an option in tag manager/configuration matomo variable to decide if cookie samesite attribute could be set to none and secure.
https://makandracards.com/makandra/71018-samesite-cookies
https://web.dev/samesite-cookie-recipes/
https://blog.heroku.com/chrome-changes-samesite-cookie

@tsteur commented on March 5th 2020 Member

Indeed. It seems None is set, but the secure flag is missing.

The tagmanager PreviewCookie needs to set some samesite value as well. We can use None if supported but Lax should do here since it would be only read by the same domain AFAIK. When we set None and we are not on secure, it will fallback though anyway.

@tsteur commented on March 5th 2020 Member
@ggr-mtm commented on March 6th 2020

How does it work with Iframe service ?
Can we set a Set-Cookie: first_party_var=value; SameSite=none secure ? also ?

here
https://blog.heroku.com/chrome-changes-samesite-cookie

If you don't know whether you provide cookies that are intended for cross-site usage, some common use-cases are

You present content in an .

or we may need an third part cookie ?
thxs

@tsteur commented on March 7th 2020 Member

You mean for the tag manager preview cookie? Could do. Although it might not be needed as the preview cookie only works on the same domain as the Matomo anyway and when maybe all is on the same domain it might not be an issue? Can do though, the only problem though is that it makes it more difficult for some users when they have http and https and the preview mode would then only work on https issue. This is why I went for Lax.

@ggr-mtm commented on March 9th 2020

Thomas,
I spoke about this use case

I've got a site with a partner call mybrand.partnerbrand.com

I've setted a first part cookies in tag manager on the configuration matomo variable on this site with domain name cookie mybrand.partnerbrand.com
That's work when you call the url directly through the browser the cookie is setted as a first part cookie.

But when you call the url mybrand.partnerbrand.com through an iframe in the site mybrand.com the cookie on mybrand.partnerbrand.com is not setted.

To do this if I understand as well as I could the mechanism of cookie since Chrome 80 you need to set a 3rd party cookie with domain partners.mybrand.com with samesite=none and secure attribue.
That's it ?
So in matomo configuration you choose once for first or third party cookie in configuration files ? Thats true ?

To achieve the goal through an iframe we need to decide in variable configuration Matomo in Tag manager if the cookie will be 1rst o 3rd party (with none and secure attribute).

@tsteur commented on March 9th 2020 Member

@ggr-mtm I think what you are after is actually https://github.com/matomo-org/tag-manager/issues/217 . We don't support setting the cookie on a different domain yet in tag manager. I'm getting bit confused though why you are referring to Matomo Variable Configuration. Maybe have a look here re third party cookies. I suggest you create a new issue with what exactly you're after in the Tag Manager repository so we can discuss there as it may not be directly related. Tag Manager basically only sets a preview cookie, no other cookies.

@tsteur commented on March 15th 2020 Member

@MichaelHeerklotz PR was merged, we're hoping this works for you.

This Issue was closed on March 15th 2020
Powered by GitHub Issue Mirror