SameSite cookie warnings in background console
148 views
Skip to first unread message
Kent Brewster
Oct 9, 2019, 12:57:08 PM10/9/19
to Chromium Extensions
Now seeing a bunch of warnings in my background page that look like this:
"A cookie associated with a cross-site resource at [some domain] was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`."
I'm confused by the phrase "was set" in this error, since our extension only reads (and does not set) cookies. It feels like the problem Chrome is trying to describe something more like this:
"A cookie associated with a cross-site resource at [some domain] without the `sameSite` attribute was read. A future version of Chrome will not deliver this cookie unless it is it set with `sameSite=None` and `Secure.`"
Does that make sense?
Thanks very much,
--Kent
"A cookie associated with a cross-site resource at [some domain] was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`."
I'm confused by the phrase "was set" in this error, since our extension only reads (and does not set) cookies. It feels like the problem Chrome is trying to describe something more like this:
"A cookie associated with a cross-site resource at [some domain] without the `sameSite` attribute was read. A future version of Chrome will not deliver this cookie unless it is it set with `sameSite=None` and `Secure.`"
Does that make sense?
Thanks very much,
--Kent
Lily Chen
Oct 9, 2019, 1:15:20 PM10/9/19
to Kent Brewster, Chromium Extensions
Hi Kent,
Thanks for the suggestion.
We used the phrase "was set" because the SameSite attribute is part of the Set-Cookie header. The state of being without a SameSite attribute is a direct result of having been set without one.
I could see how that might be confusing though, if you are not the one setting the cookie but are only reading it.
We are planning to tweak the message text based on developer feedback, and we will consider differentiating between "was read" vs "was set".
Thanks,
Lily
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/D171C17D-B072-4C7F-B195-492798062216%40pinterest.com.
Kent Brewster
Oct 10, 2019, 12:08:34 PM10/10/19
to Lily Chen, Chromium Extensions
Thanks, Lily!
Something else that bugging me: it's a warning, but it's triggering the scary red Errors button in developer mode. I wish there was a way to rig that button so warnings didn't count.
--Kent
Something else that bugging me: it's a warning, but it's triggering the scary red Errors button in developer mode. I wish there was a way to rig that button so warnings didn't count.
--Kent
馮韋元Francois Devatine
Oct 14, 2019, 2:48:00 AM10/14/19
to Chromium Extensions, chl...@chromium.org
+1 here
My extension is doing an XHR request to a site which has such cookies. The extension itself is not even requesting cookies permission, and has nothing to do with cookies.
So it doesn't really feel right to see a big red Error showing up on the chrome://extensions page.
Anyway, good to hear that it's only on developer mode normal users shouldn't have to worry about it.
> To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
Lily Chen
Oct 14, 2019, 12:20:29 PM10/14/19
to 馮韋元Francois Devatine, Chromium Extensions, Lily Chen
Thanks, it's a good point. Kent has filed crbug.com/1013225 about this issue.
> To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
Reply all
Reply to author
Forward
0 new messages