Closed deka closed 4 years ago
bojeil-google
commented
5 years ago The Auth SDK does not set any cookies. Please provide actual details on the source of this issue. This unlikely to be from our library. However, we do pull in other external dependencies. If you can help pinpoint that, we could route you to the right owners to fix this.
Morbden
commented
4 years ago A cookie associated with a cross-site resource at http://cloudflare.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
v2.mapee.app/:1 A cookie associated with a resource at http://gstatic.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at https://smartlock.google.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
/auth:1 A cookie associated with a cross-site resource at http://google.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
/auth:1 A cookie associated with a cross-site resource at https://google.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
/auth:1 A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
m=yolo_frame_library:282 The client origin is not permitted to use this API.
This is warning for a firebase project
google-oss-bot
commented
4 years ago Hey @deka. We need more information to resolve this issue but there hasn't been an update in 7 days. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.
If you have more information that will help us get to the bottom of this, just add a comment!
deka
commented
4 years ago Please, see steps to reproduce.
Can you confirm ?
Perhaps, firebase.auth need new configuration param to set SameSite ?
tohagan
commented
4 years ago Have been experiencing the same for several weeks.
wti806
commented
4 years ago As @bojeil-google said, we don't set any cookies. It's the google sign-in page who set the cookie.
pitw
commented
4 years ago From my understanding we can ignore this warnings. Google as the initiator of this feature will surely update their Sign-In Page Cookies with the Secure Tag.
SergeKrstic
commented
4 years ago I'm experiencing the same issue. Is there a solution to this?
In my app, I use the Auth to login using two methods:
auth.emailSignInStart(...)auth.signInWithPopup(...). The method auth.emailSignInStart(...) works and allows the user to login.
But the auth.signInWithPopup(...) method causes the cookie error (shown below) and fails to login resulting in this error: "A network error (such as timeout, interrupted connection or unreachable host) has occurred."
No code changes have been made to the app's login procedures and worked perfectly in the past. It appears that changes have been made to the Auth SDK.
A cookie associated with a cross-site resource at
was set without the SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details atand . login-page:1 A cookie associated with a resource at http://google.com/ was set with SameSite=Nonebut withoutSecure. A future release of Chrome will only deliver cookies markedSameSite=Noneif they are also markedSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
zshannon
commented
4 years ago @SergeKrstic did you figure out a workaround? This completely breaks signInWithPopup for us, too.
pitw
commented
4 years ago @SergeKrstic Are you using Kaspersky ? I'm asking because in my opinion you have 2 different problems. 1: The cookie "warning" (no error...) --> annoying but shouldn't prevent firebase from working 2: The "network error" (not related with cookie error) --> possible reason for this problem can be found here (https://github.com/firebase/firebase-js-sdk/issues/1190)
bojeil-google
commented
4 years ago This warning shouldn't break signInWithPopup or any other methods of sign-in.
If something is broken, it is unlikely to be related to the SameSite attribute issue.
SergeKrstic
commented
4 years ago Hey @pitw, thanks for giving me some ideas to explore. They led me to find the cause and a solution.
These type of issues, with cryptic error messages, can be frustrating. They are also tricky for the maintainers to provide helpful advice. So here's what I did.
signInWithPopup did not work on any browser or device combination. I don't know, maybe something has changed since then)signInWithPopup. It logged in successfully. YAY!!Is there a way for the signInWithPopup to not be intercepted and altered by Chrome extensions?
Anyhow, I hope this helps.
SergeKrstic
commented
4 years ago Just to clarify, the warning message still appears in the close log, however, with my fix, I’m now able to log in using ‘signInWithPopup’
rsivan
commented
4 years ago I experience the same. I temporarily disabled all my extensions and no change.
magoarcano
commented
4 years ago I have the same problem. That message appears 37 times(1 per each google service or subdomain) every time I want to login with google.
AoDev
commented
4 years ago I am seeing this warning in Brave Browser too.
mheavenor
commented
4 years ago I am also running into this issue:
Environment: Incognito Chrome with no extensions Firebase npm package 7.6.2 Sign in method: email and password
I am still able to sign in but I get the console warning.
A cookie associated with a cross-site resource at https://google.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
wesrice
commented
4 years ago I'm having the same issue. Disabling React Developer Tools plugin fixes the issue for me. I have no clue why.
toddwseattle
commented
4 years ago I'm having this issue when I attach vscode to chrome for debug on windows. I also get the following popup on login and then fb auth throws an exception:
This browser or app may not be secure. Learn more
Try using a different browser. If you’re already using a supported browser, you can refresh your screen and try again to sign in.Works fine on localhost without vscode attach.
jimmykane
commented
4 years ago Hi same issue here. We are paying for the platform (firebase) this is not a "free" project AFAIK.
Please provide a confirmation of the issue from Firebase Google that is all we ask.
@wti806 and other contributors here. This is business critical.
DJFreh
commented
4 years ago Had same issue, Fixed under mobile Chrome Browser (I think the new version of Chrome 80 who added a new securety to allow cockies under browser by user).
here to make enable :
hope help you. have a nice day.
sekoyo
commented
4 years ago Same issue using signUpWithPopup and Google provider in a Chrome Extension (domain the script is invoked on is allowed via Firebase Console). Pop-up opens but is just blank. I am invoking the popup from a react app which is rendered into a website via a content script, not from the extension popup script.
It's possible to auth from the popup script but this is less desired and regardless the content script does not receive an auth change event from singing in, so it seems unworkable for a content script anyway.
I also tried auth exactly as prescribed here in the popup but still no event in the content script - https://github.com/firebase/quickstart-js/tree/master/auth/chromextension
I raised a SO about this here: https://stackoverflow.com/questions/60903867/firebase-with-chrome-extension-not-receiving-onauthstatechange-event-in-conten
Mistic92
commented
4 years ago I just found that firebase auth is not working on our site when same site cookie is enforced.
louisameline
commented
4 years ago This worries me. I hope you guys at Firebase talk to other Google teams and are not waiting for the authentication to be broken to fix this. It's been 6 months. A confirmation that it's ok would be nice.
In my case the cookies were set by https://apis.google.com/js/api.js?onload=__iframefcb701432
EthanSK
commented
4 years ago Please fix!! this is a game-breaking bug!
dksb
commented
4 years ago Any fixes, users can't login to our sites. This is a P0.
slarsendisney
commented
4 years ago This is causing issues on my site. Please resolve.
JaffaKetchup
commented
4 years ago Hello all. I hope I speak everyone's thoughts here. :)
My Chrome updates are a little delayed, so I have only just had this issue. Google, you own Chrome. You know perfectly well what Chrome's plans are. Yet you still don't do anything about these issues. I have had it for ages, but I ignored it hoping you would fix the issue, but no. Now it is broken and I am having to use flags, as with many other people here. We are paying for this service. This is a breaking bug. It should be top priority. This is not a feature request like @google-oss-bot says it is.
jimmykane
commented
4 years ago Hi! @bojeil-google and others. Sorry to say but :
Really are we reaching this point that we consumers that pay for firebase actually have to "beg" for attention ?
jimmykane
commented
4 years ago Hi again here.
As of today we have about 5% of our users (2K MAU) that experience this issue with chrome and windows.
They simply cannot login, and we are just implementing loginwithredirect or windowpopup but both are not working.
At least some advice to mitigate the issue would be great.
jimmykane
commented
4 years ago According to the news:
April 2020 - Google delays samesite cookie origin requirement
July 2020 - Google slowly rolls out the samesite cookie requirement
conde2
commented
4 years ago Same here, anyone has a solution for this issue ?
conde2
commented
4 years ago This worries me. I hope you guys at Firebase talk to other Google teams and are not waiting for the authentication to be broken to fix this. It's been 6 months. A confirmation that it's ok would be nice.
In my case the cookies were set by
https://apis.google.com/js/api.js?onload=__iframefcb701432
I have the exactly same behaviour.
erickArita
commented
4 years ago I had the same problem, the errors indicated to me that something was wrong with cookies like all of you, since my project is only for testing, delete my project and create another and the same errors jumped at me, but one more, I said that I did not have enabled that domain, then I enabled it in firebase and now it works even though it still shows me the cookie warnings
mainakamauelijah
commented
4 years ago same here
wtesler
commented
4 years ago This continues to be an issue
ChristopherDalziel
commented
4 years ago Also having this issue where I'm trying to use google popup login for auth
rastogia3
commented
4 years ago Hi There,
I am also facing the same issue while using popup with google auth.
re-ynd
commented
4 years ago Have the same problem
writerdanhardy
commented
4 years ago I posted a similar screen shot that Louisameline shows above to Firebase Support explaining same issue and got this as a response: "It looks like you’re reporting an issue with SameSite. Unfortunately, this support channel only covers answering and troubleshooting issues with Firebase APIs and features. Therefore, this is outside the scope of our support. For further assistance, you may reach out to Google Chrome support regarding this matter.
If you have any Firebase-specific questions or concerns, feel free to reach out to us.
Thank you for your understanding,"
Not much help or concern. I used to have great respect for the way Google does things, that's why I chose firebase over aws or azure regimes. This issue, I fear, will cause a lot of pain for a lot of people at a time we all need to get remote systems working.
sam-gc
commented
4 years ago Hi folks,
There are two things at play here. The warnings that you are seeing in the console when signing in with Google are not necessarily problematic (these warnings are what this issue originally asked about). The warnings are unrelated to Firebase and they should not impact anyone’s ability to sign in.
Separately, there is another issue that is currently affecting Chrome Incognito / Chrome with the setting "Block Third-Party Cookies." This is unrelated to the warnings you see in Google sign in and has to do with Chrome’s enforcement of the third-party cookie policy and the way that we handle the login flow. This issue is likely the cause of users being unable to sign in and we are working on it right now. Please see this comment for more details. That bug is unrelated to the warning messages you see in the developer console during Google sign in.
I'm closing this out—this feature request for removing the warnings from Google sign in is outside our purview. There is a related issue in https://github.com/google/google-api-javascript-client/issues/561 that you can follow. For folks who are unable to login due to third-party cookie errors, we are tracking the issue in https://github.com/firebase/firebase-js-sdk/issues/3004.
Thanks
JaffaKetchup
commented
4 years ago Hi folks,
There are two things at play here. The warnings that you are seeing in the console when signing in with Google are not necessarily problematic (these warnings are what this issue originally asked about). The warnings are unrelated to Firebase and they should not impact anyone’s ability to sign in; I have verified I am able to log in even with the flags described in this comment enabled.
Separately, there is another issue that is currently affecting Chrome Incognito / Chrome with the setting "Block Third-Party Cookies." This is unrelated to the warnings you see in Google sign in and has to do with Chrome’s enforcement of the third-party cookie policy and the way that we handle the login flow. This issue is likely the cause of users being unable to sign in and we are working on it right now. Please see this comment for more details. That bug is unrelated to the warning messages you see in the developer console during Google sign in.
I'm closing this out—this feature request for removing the warnings from Google sign in is outside our purview. There is a related issue in google/google-api-javascript-client#561 that you can follow. For folks who are unable to login due to third-party cookie errors, we are tracking the issue in #3004.
Thanks
Hello,
Great to know Chrome is working on it. However I think you may have misunderstood 'this comment'. This was a workaround to be able to login. Login was not working before enabling these flags. Sorry if I have misunderstood.
It's about time we found out what was happening. So thank you for that :)
sam-gc
commented
4 years ago Ah yes, sorry it was a misunderstanding on my part. Thanks for pointing this out! I've edited my comment.
I was unable to reproduce the issue by forcing those flags off, but regardless I still think the login issues are due to https://github.com/firebase/firebase-js-sdk/issues/3004.
tenzint
commented
4 years ago Disabling 'sameSite' feature on chrome://flags didn't help this. I'll share that like recommended, I used Google API to sign in and it worked for me. I haven't used credentials to sign in to firebase yet, but that's simple. Just a reminder that Vuejs has public/index.html, so we can actually use the pure html/javascript that Google API uses. I spent a lot of time trying to find nodejs alternative while ignoring third-parties.
snehapaka
commented
4 years ago 
I have issues in google crome
GanchoDanailov
commented
4 years ago Any update?
[REQUIRED] Describe your environment
[REQUIRED] Describe the problem
Warning with cookies :
Steps to reproduce: