Closed deka closed 4 years ago
The Auth SDK does not set any cookies. Please provide actual details on the source of this issue. This unlikely to be from our library. However, we do pull in other external dependencies. If you can help pinpoint that, we could route you to the right owners to fix this.
A cookie associated with a cross-site resource at http://cloudflare.com/ was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
v2.mapee.app/:1 A cookie associated with a resource at http://gstatic.com/ was set with SameSite=None
but without Secure
. A future release of Chrome will only deliver cookies marked SameSite=None
if they are also marked Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at https://smartlock.google.com/ was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
/auth:1 A cookie associated with a cross-site resource at http://google.com/ was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
/auth:1 A cookie associated with a cross-site resource at https://google.com/ was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
/auth:1 A cookie associated with a resource at http://google.com/ was set with SameSite=None
but without Secure
. A future release of Chrome will only deliver cookies marked SameSite=None
if they are also marked Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
m=yolo_frame_library:282 The client origin is not permitted to use this API.
This is warning for a firebase project
Hey @deka. We need more information to resolve this issue but there hasn't been an update in 7 days. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.
If you have more information that will help us get to the bottom of this, just add a comment!
Please, see steps to reproduce.
Can you confirm ?
Perhaps, firebase.auth need new configuration param to set SameSite
?
Have been experiencing the same for several weeks.
As @bojeil-google said, we don't set any cookies. It's the google sign-in page who set the cookie.
From my understanding we can ignore this warnings. Google as the initiator of this feature will surely update their Sign-In Page Cookies with the Secure Tag.
I'm experiencing the same issue. Is there a solution to this?
In my app, I use the Auth to login using two methods:
auth.emailSignInStart(...)
auth.signInWithPopup(...)
. The method auth.emailSignInStart(...)
works and allows the user to login.
But the auth.signInWithPopup(...)
method causes the cookie error (shown below) and fails to login resulting in this error: "A network error (such as timeout, interrupted connection or unreachable host) has occurred."
No code changes have been made to the app's login procedures and worked perfectly in the past. It appears that changes have been made to the Auth SDK.
A cookie associated with a cross-site resource at
was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=None
andSecure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details atand . login-page:1 A cookie associated with a resource at http://google.com/ was set with SameSite=None
but withoutSecure
. A future release of Chrome will only deliver cookies markedSameSite=None
if they are also markedSecure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
@SergeKrstic did you figure out a workaround? This completely breaks signInWithPopup
for us, too.
@SergeKrstic Are you using Kaspersky ? I'm asking because in my opinion you have 2 different problems. 1: The cookie "warning" (no error...) --> annoying but shouldn't prevent firebase from working 2: The "network error" (not related with cookie error) --> possible reason for this problem can be found here (https://github.com/firebase/firebase-js-sdk/issues/1190)
This warning shouldn't break signInWithPopup
or any other methods of sign-in.
If something is broken, it is unlikely to be related to the SameSite
attribute issue.
Hey @pitw, thanks for giving me some ideas to explore. They led me to find the cause and a solution.
These type of issues, with cryptic error messages, can be frustrating. They are also tricky for the maintainers to provide helpful advice. So here's what I did.
signInWithPopup
did not work on any browser or device combination. I don't know, maybe something has changed since then)signInWithPopup
. It logged in successfully. YAY!!Is there a way for the signInWithPopup
to not be intercepted and altered by Chrome extensions?
Anyhow, I hope this helps.
Just to clarify, the warning message still appears in the close log, however, with my fix, I’m now able to log in using ‘signInWithPopup’
I experience the same. I temporarily disabled all my extensions and no change.
I have the same problem. That message appears 37 times(1 per each google service or subdomain) every time I want to login with google.
I am seeing this warning in Brave Browser too.
I am also running into this issue:
Environment: Incognito Chrome with no extensions Firebase npm package 7.6.2 Sign in method: email and password
I am still able to sign in but I get the console warning.
A cookie associated with a cross-site resource at https://google.com/ was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I'm having the same issue. Disabling React Developer Tools plugin fixes the issue for me. I have no clue why.
I'm having this issue when I attach vscode to chrome for debug on windows. I also get the following popup on login and then fb auth throws an exception:
This browser or app may not be secure. Learn more
Try using a different browser. If you’re already using a supported browser, you can refresh your screen and try again to sign in.
Works fine on localhost without vscode attach.
Hi same issue here. We are paying for the platform (firebase) this is not a "free" project AFAIK.
Please provide a confirmation of the issue from Firebase Google that is all we ask.
@wti806 and other contributors here. This is business critical.
Had same issue, Fixed under mobile Chrome Browser (I think the new version of Chrome 80 who added a new securety to allow cockies under browser by user).
here to make enable :
hope help you. have a nice day.
Same issue using signUpWithPopup
and Google provider in a Chrome Extension (domain the script is invoked on is allowed via Firebase Console). Pop-up opens but is just blank. I am invoking the popup from a react app which is rendered into a website via a content script, not from the extension popup script.
It's possible to auth from the popup script but this is less desired and regardless the content script does not receive an auth change event from singing in, so it seems unworkable for a content script anyway.
I also tried auth exactly as prescribed here in the popup but still no event in the content script - https://github.com/firebase/quickstart-js/tree/master/auth/chromextension
I raised a SO about this here: https://stackoverflow.com/questions/60903867/firebase-with-chrome-extension-not-receiving-onauthstatechange-event-in-conten
I just found that firebase auth is not working on our site when same site cookie is enforced.
This worries me. I hope you guys at Firebase talk to other Google teams and are not waiting for the authentication to be broken to fix this. It's been 6 months. A confirmation that it's ok would be nice.
In my case the cookies were set by https://apis.google.com/js/api.js?onload=__iframefcb701432
Please fix!! this is a game-breaking bug!
Any fixes, users can't login to our sites. This is a P0.
This is causing issues on my site. Please resolve.
Hello all. I hope I speak everyone's thoughts here. :)
My Chrome updates are a little delayed, so I have only just had this issue. Google, you own Chrome. You know perfectly well what Chrome's plans are. Yet you still don't do anything about these issues. I have had it for ages, but I ignored it hoping you would fix the issue, but no. Now it is broken and I am having to use flags, as with many other people here. We are paying for this service. This is a breaking bug. It should be top priority. This is not a feature request like @google-oss-bot says it is.
Hi! @bojeil-google and others. Sorry to say but :
Really are we reaching this point that we consumers that pay for firebase actually have to "beg" for attention ?
Hi again here.
As of today we have about 5% of our users (2K MAU) that experience this issue with chrome and windows.
They simply cannot login, and we are just implementing loginwithredirect or windowpopup but both are not working.
At least some advice to mitigate the issue would be great.
According to the news:
April 2020 - Google delays samesite cookie origin requirement
July 2020 - Google slowly rolls out the samesite cookie requirement
Same here, anyone has a solution for this issue ?
This worries me. I hope you guys at Firebase talk to other Google teams and are not waiting for the authentication to be broken to fix this. It's been 6 months. A confirmation that it's ok would be nice.
In my case the cookies were set by
https://apis.google.com/js/api.js?onload=__iframefcb701432
I have the exactly same behaviour.
I had the same problem, the errors indicated to me that something was wrong with cookies like all of you, since my project is only for testing, delete my project and create another and the same errors jumped at me, but one more, I said that I did not have enabled that domain, then I enabled it in firebase and now it works even though it still shows me the cookie warnings
same here
This continues to be an issue
Also having this issue where I'm trying to use google popup login for auth
Hi There,
I am also facing the same issue while using popup with google auth.
Have the same problem
I posted a similar screen shot that Louisameline shows above to Firebase Support explaining same issue and got this as a response: "It looks like you’re reporting an issue with SameSite. Unfortunately, this support channel only covers answering and troubleshooting issues with Firebase APIs and features. Therefore, this is outside the scope of our support. For further assistance, you may reach out to Google Chrome support regarding this matter.
If you have any Firebase-specific questions or concerns, feel free to reach out to us.
Thank you for your understanding,"
Not much help or concern. I used to have great respect for the way Google does things, that's why I chose firebase over aws or azure regimes. This issue, I fear, will cause a lot of pain for a lot of people at a time we all need to get remote systems working.
Hi folks,
There are two things at play here. The warnings that you are seeing in the console when signing in with Google are not necessarily problematic (these warnings are what this issue originally asked about). The warnings are unrelated to Firebase and they should not impact anyone’s ability to sign in.
Separately, there is another issue that is currently affecting Chrome Incognito / Chrome with the setting "Block Third-Party Cookies." This is unrelated to the warnings you see in Google sign in and has to do with Chrome’s enforcement of the third-party cookie policy and the way that we handle the login flow. This issue is likely the cause of users being unable to sign in and we are working on it right now. Please see this comment for more details. That bug is unrelated to the warning messages you see in the developer console during Google sign in.
I'm closing this out—this feature request for removing the warnings from Google sign in is outside our purview. There is a related issue in https://github.com/google/google-api-javascript-client/issues/561 that you can follow. For folks who are unable to login due to third-party cookie errors, we are tracking the issue in https://github.com/firebase/firebase-js-sdk/issues/3004.
Thanks
Hi folks,
There are two things at play here. The warnings that you are seeing in the console when signing in with Google are not necessarily problematic (these warnings are what this issue originally asked about). The warnings are unrelated to Firebase and they should not impact anyone’s ability to sign in; I have verified I am able to log in even with the flags described in this comment enabled.
Separately, there is another issue that is currently affecting Chrome Incognito / Chrome with the setting "Block Third-Party Cookies." This is unrelated to the warnings you see in Google sign in and has to do with Chrome’s enforcement of the third-party cookie policy and the way that we handle the login flow. This issue is likely the cause of users being unable to sign in and we are working on it right now. Please see this comment for more details. That bug is unrelated to the warning messages you see in the developer console during Google sign in.
I'm closing this out—this feature request for removing the warnings from Google sign in is outside our purview. There is a related issue in google/google-api-javascript-client#561 that you can follow. For folks who are unable to login due to third-party cookie errors, we are tracking the issue in #3004.
Thanks
Hello,
Great to know Chrome is working on it. However I think you may have misunderstood 'this comment'. This was a workaround to be able to login. Login was not working before enabling these flags. Sorry if I have misunderstood.
It's about time we found out what was happening. So thank you for that :)
Ah yes, sorry it was a misunderstanding on my part. Thanks for pointing this out! I've edited my comment.
I was unable to reproduce the issue by forcing those flags off, but regardless I still think the login issues are due to https://github.com/firebase/firebase-js-sdk/issues/3004.
Disabling 'sameSite' feature on chrome://flags didn't help this. I'll share that like recommended, I used Google API to sign in and it worked for me. I haven't used credentials to sign in to firebase yet, but that's simple. Just a reminder that Vuejs has public/index.html, so we can actually use the pure html/javascript that Google API uses. I spent a lot of time trying to find nodejs alternative while ignoring third-parties.
I have issues in google crome
Any update?
[REQUIRED] Describe your environment
[REQUIRED] Describe the problem
Warning with cookies :
Steps to reproduce: