Same site attribute not used for test cookies

amplitude / Amplitude-JavaScript

JavaScript SDK for Amplitude

MIT License

314 stars 132 forks source link

Same site attribute not used for test cookies #271

Open morus12 opened 4 years ago

morus12 commented 4 years ago

This warning shows up even with sameSite configured.

Cookie “amplitude_cookie_test” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

It's because the function areCookiesEnabled sets the cookies and is called before sameSite attribute is set. https://github.com/amplitude/Amplitude-JavaScript/blob/92829d1588db8eb01fcefa84ee8951ede3543459/src/metadata-storage.js#L12-L21

gabberr commented 4 years ago

We are having the same issue. Console log is spammed with the missing sameSite warnings. On v7.1, areCookiesEnabled is to blame:

It tries to use Constants.COOKIE_TEST which is undefined (should be COOKIE_TEST_PREFIX)

it calls set with no options, so the sameSite warnings will be printed everytime.

const areCookiesEnabled = () => {
const uid = String(new Date());
try {
const cookieName = Constants.COOKIE_TEST + base64Id();
set(cookieName, uid, {});
const _areCookiesEnabled = get(cookieName + '=') === uid;
set(cookieName, null, {});
return _areCookiesEnabled;
} catch (e) {}
return false;
};

quarties commented 4 years ago

Any update on this issue? Do you have any plans to take care of it? We're receiving many complains from our customers about missing same site attr for cookies and Amplitude is the only thing left to fix it.

kelvin-lu commented 4 years ago

Hi @quarties ! sorry for the lack of communication - we flagged this as an issue a few weeks back and are hoping to resolve this in the coming (~1 -2) weeks - we'll keep you posted!

quarties commented 4 years ago

@kelvin-lu thanks a lot! I really appreciate your effort <3

eino commented 3 years ago

Hello, I'm still getting this warning on firefox (I see nothing in Chrome, but no amp_cookie_test is visible in the local storage, so perhaps the warning is just not visible ?)

Cookie “amp_cookie_testHrIiHKBjFaeV7QkRhp-S9k” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

I also see

Cookie “amplitude_test” has been rejected for invalid domain.

Though I see there was a fix in v.7.2.0, I've been using the 7.3.3 and still see the error.

ryanliszewski commented 2 years ago

I'm seeing this as well on Firefox using 8.18.1. Any updates here? @kelvin-lu