Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Same site attribute not used for test cookies #271

Open
morus12 opened this issue Jun 18, 2020 · 6 comments
Open

Same site attribute not used for test cookies #271

morus12 opened this issue Jun 18, 2020 · 6 comments

Comments

@morus12
Copy link

morus12 commented Jun 18, 2020

This warning shows up even with sameSite configured.

Cookie “amplitude_cookie_test” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

It's because the function areCookiesEnabled sets the cookies and is called before sameSite attribute is set.

Amplitude-JavaScript/src/metadata-storage.js

Lines 12 to 21 in 92829d1

class MetadataStorage {
constructor({storageKey, disableCookies, domain, secure, sameSite, expirationDays}) {
this.storageKey = storageKey;
this.disableCookieStorage = !baseCookie.areCookiesEnabled() || disableCookies;
this.domain = domain;
this.secure = secure;
this.sameSite = sameSite;
this.expirationDays = expirationDays;
this.cookieDomain ='';

@gabberr
Copy link

gabberr commented Jul 1, 2020

We are having the same issue. Console log is spammed with the missing sameSite warnings. On v7.1, areCookiesEnabled is to blame:

  • It tries to use Constants.COOKIE_TEST which is undefined (should be COOKIE_TEST_PREFIX)
  • it calls set with no options, so the sameSite warnings will be printed everytime.
const areCookiesEnabled = () => {
  const uid = String(new Date());
  try {
    const cookieName = Constants.COOKIE_TEST + base64Id();
    set(cookieName, uid, {});
    const _areCookiesEnabled = get(cookieName + '=') === uid;
    set(cookieName, null, {});
    return _areCookiesEnabled;
  } catch (e) {}
  return false;
};

@quarties
Copy link

quarties commented Sep 8, 2020

Any update on this issue? Do you have any plans to take care of it? We're receiving many complains from our customers about missing same site attr for cookies and Amplitude is the only thing left to fix it.

@kelvin-lu
Copy link
Contributor

Hi @quarties ! sorry for the lack of communication - we flagged this as an issue a few weeks back and are hoping to resolve this in the coming (~1 -2) weeks - we'll keep you posted!

@quarties
Copy link

quarties commented Sep 9, 2020

@kelvin-lu thanks a lot! I really appreciate your effort <3

@kelvin-lu kelvin-lu mentioned this issue Sep 11, 2020
Merged
@eino
Copy link

eino commented Nov 25, 2020

Hello,
I'm still getting this warning on firefox (I see nothing in Chrome, but no amp_cookie_test is visible in the local storage, so perhaps the warning is just not visible ?)

Cookie “amp_cookie_testHrIiHKBjFaeV7QkRhp-S9k” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

I also see

Cookie “amplitude_test” has been rejected for invalid domain.

Though I see there was a fix in v.7.2.0, I've been using the 7.3.3 and still see the error.

@ryanliszewski
Copy link

I'm seeing this as well on Firefox using 8.18.1. Any updates here? @kelvin-lu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@eino @morus12 @gabberr @ryanliszewski @kelvin-lu @quarties