GoogleChromeLabs / samesite-examples

Examples of using the SameSite cookie attribute in a variety of language, libraries, and frameworks.
https://web.dev/samesite-cookies-explained
Apache License 2.0
367 stars 62 forks source link

How do I resolve same-site none for cookie given by Google Adwords Tracking? #4

Open bensontrent opened 5 years ago

bensontrent commented 5 years ago

My client's website is getting these SameSite cookie warnings in Chrome. The cookies are due to Google Ad Conversion Tracking on a Wordpress Site. The site is on a Apache/2.4.7 (Ubuntu) hosted by DreamHost running PHP 7.1, always running on https. To my .htaccess file, I've tried adding:

Header always edit Set-Cookie (.*) "$1; SameSite=Lax" and I tried

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure ...and I tried

Header always edit Set-Cookie (.*) "$1; SameSite=None;Secure" as well as many other combinations.

I've tried your code for PHP 7.2 and below as shown on this website:

header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');

Could we get some clarity on where this code should go? And perhaps a real working example? Does it go in an .htacesss file or in php.ini, or where in the php code should it be called? Also, it's not clear what should be used for the "name" in your example code, or if I even need to change that value, as the dev tools show over 10 cookie names associated with the google address.

Here's the warning I'm getting in the Chrome Console:

(index):1 A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

rowan-m commented 5 years ago

The cookies triggering the warning are coming from google.com so you will not be able to alter them. The Ads team is aware of these issues and is working to get their cookies fixed before the Feb 2020 stable date. It also means that none of the header directives you're specifying will affect the google.com cookie, it will only cover cookies set for your site.

If you have any cookie warnings that specifically list a domain you control, then you will need to add the correct attributes.

That said - I'll leave this open because I should get some Apache examples in to show transforming cookies.

bensontrent commented 5 years ago

I did a lot of reading on the SameSite warnings and somehow the basics had eluded me. The clarity you've given will help me authoritatively explain the warnings to my client. Thank you so much for this answer!

waruyama commented 4 years ago

Why is the name of the Cookie not included in the message? A cookie associated with a cross-site... is very obscure. Why not write The cookie "auth0_compat" associated with a cross-site.... Currently I get the SameSite warning and I just cannot find the cookie that it refers to (yes, I read the debugging about SameSite changes).

chriskallen commented 4 years ago

Now that Chrome 80 is being rolled out is there any update as to when Google are going to fix the adwords tracking?

peiche commented 4 years ago

Based on the Chromium SameSite updates page, I believe the SameSite behavior won't be rolled out until Feb 17.

MRZMUH001 commented 4 years ago

Is there anyone we can contact to get an update re Google Adwords team rolling out the changes on their side?

gpxjordan commented 4 years ago

My OpenCart 2.3 also seems to have the same problem with SameSite, But based on your discussion, I still don't know how to solve this problem.

Can anyone tell me what to do?

My payment gateway and Facebook Message module, There are related warning messages and they do not work correctly: messageImage_1584409464615

When I remove Facebook messages, the screen displayed by Google Chrome: messageImage_1584595133643

Can you tell me how to fix it in steps and steps?

Thank you!

rowan-m commented 4 years ago

Google's cookies should generally be fixed now. You will still see warnings as:

To reduce noise, I suggest testing in an incognito session ensuring that you only visit the site under test to reduce the amount of extra cookies in the browser.

However, be aware that you may still see warnings for blocked cookies that are not affecting the behaviour of the site.

In the example screenshot above the error is related to a Content-Security Policy directive. In this case, I would investigate how the Facebook functionality you are using is being embedded in the page.

alexpov commented 4 years ago

using google analytics in a chrome extension

    static setup() {
        (function(i, s, o, g, r, a, m) {
            i['GoogleAnalyticsObject'] = r;
            (i[r] =
                i[r] ||
                function() {
                    (i[r].q = i[r].q || []).push(arguments);
                }),
                (i[r].l = 1 * new Date());
            (a = s.createElement(o)), (m = s.getElementsByTagName(o)[0]);
            a.async = 1;
            a.src = g;
            m.parentNode.insertBefore(a, m);
        })(
            window,
            document,
            'script',
            'https://www.google-analytics.com/analytics.js',
            'ga'
        ); // Note: https protocol here

        ga('create', google_analitycs_token, 'auto'); // Enter your GA identifier
        ga('set', 'checkProtocolTask', function() {}); // Removes failing protocol check. @see: http://stackoverflow.com/a/22152353/1958200
    }

Chrome version: Google Chrome is up to date Version 80.0.3987.162 (Official Build) (64-bit)

When loading the extension getting "ERROR" mark: image

which is this warning:

A cookie associated with a cross-site resource at http://google.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

The warning itself is not an issue, however, getting an ERROR flag due to this, is an issue. This cookie setting should have been fixed with version 80? Still, work in progress?

gpxjordan commented 4 years ago

Thanks for your reply!

In fact, I have very limited information, I can only provide how to reproduce the environment that may cause this.

Can you use the test account I provided to test the checkout process?

My test steps: Enter in the URL column of Chrome: chrome://flags/ and search "SameSite"

Enable the following experiments: SameSite by default cookies Cookies without SameSite must be secure

Product link to test the checkout process: https://www.tylee.tw/?route=product/product&product_id=10008

Email address: test@tylee.tw Password: ZtU1YoRnQzwfp5ojNoVK

Please select the same payment and shipping method: 圖片

Please select the same payment method: ATM(僅限台灣地區使用) 圖片

Please select any store and click [確認] 圖片

圖片

圖片

圖片

Please select any bank name and click [取得繳費帳號]: 圖片

Please click this button: [返回商店] 圖片

Can you test if all the checkout processes have been fixed for me?

This is My Facebook message code information, I also temporarily restored this code:

Copy/Paste this code into the or tag of your website (same as your Google Analytics code).

Step 1: Refresh website browser after embedding code.
Step 2: Turn on tool and refresh browser again (Ctrl+F5).

Dear Sir, Can you help me test?

Thank you!

shawnnaquin commented 4 years ago

Has there been any movement on this issue. I'm managing GTMs for an advertising firm that is seeing this same issue across dozens of websites.

Using Google Tag Assistant we see An error occured while the tag was fired: net::ERR_ABORTED.

In the Chrome inspector we get: "A cookie associated with a cross-site resource at http://google.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032."

We've been in touch with support at Google Ads, they cannot help. Our tags are valid html.

Another tell is that using "#google-wcc-force" no longer works as a debug tool. IF you click "force" you can see the tag rewrite the phone numbers.

here is one such webpage you can see the issue: https://www.cosselawfirm.com/

Thanks, Shawn

Praveenbobby commented 4 years ago

i am facing an error in chrome (After logging in to the page by providing username and password its allowing but when we sign out of the page and refresh the login page its not asking the credentials, its logging to the page directly with out asking the credentials) can some please help on this hoe to overcome this situation i tried the below scenarios but its not working.

1 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP

2 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure"

3 Trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP Header onsuccess edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP

1 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP

2 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure"

3 Trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP Header onsuccess edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP

Praveenbobby commented 4 years ago

My client's website is getting these SameSite cookie warnings in Chrome. The cookies are due to Google Ad Conversion Tracking on a Wordpress Site. The site is on a Apache/2.4.7 (Ubuntu) hosted by DreamHost running PHP 7.1, always running on https. To my .htaccess file, I've tried adding:

Header always edit Set-Cookie (.*) "$1; SameSite=Lax" and I tried

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure ...and I tried

Header always edit Set-Cookie (.*) "$1; SameSite=None;Secure" as well as many other combinations.

I've tried your code for PHP 7.2 and below as shown on this website:

header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');

Could we get some clarity on where this code should go? And perhaps a real working example? Does it go in an .htacesss file or in php.ini, or where in the php code should it be called? Also, it's not clear what should be used for the "name" in your example code, or if I even need to change that value, as the dev tools show over 10 cookie names associated with the google address.

Here's the warning I'm getting in the Chrome Console:

(index):1 A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

this Site is hosted on IBMHTTPserver and the below changes are done on httpd.conf file. the issue is we logged in to client page when we sign out from from that page it's getting signed out from that page. but when refresh the page the credentials are taken automatically, credentials have to asked. but in IE its working fine. could you please help me on this

1 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP

2 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure"

3 Trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP Header onsuccess edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP

1 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP

2 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure"

3 Trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP Header onsuccess edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP

Trail 1:

2. Remove duplicate SECURE flag (this keeps the above regex simpler)

Header always edit Set-Cookie "(.(\s+|;)(?i)Secure(\s+|;).) Secure$" "$1" env=!SAMESITE_SKIP

Trail 2:

2. Remove duplicate SECURE flag (this keeps the above regex simpler)

Header always edit Set-Cookie "(.(\s+|;)(?i)Secure(\s+|;).) Secure$" "$1" env=!SAMESITE_SKIP Header onsuccess edit Set-Cookie "(.(\s+|;)(?i)Secure(\s+|;).) Secure$" "$1" env=!SAMESITE_SKIP