Closed yvesvanbroekhoven closed 4 years ago
cade
commented
4 years ago Any chance your team is going to fix this anytime soon?
Yep! We're currently working on supporting the SameSite attribute (QA will begin today), and we will roll out our changes before Chrome 80's February deadline. Thanks for filing the issue and checking!
yvesvanbroekhoven
commented
4 years ago Awesome @cade!
Just give a sign when I can test 🖖
cade
commented
4 years ago @yvesvanbroekhoven We've shipped our support for SameSite cookies on Harvest's platform.
Please note, Firefox's dev tools seem to still be reporting Unset (regardless of flag preference settings) even though the Set-Cookie header is specifying SameSite=None on the cookie. I am seeing the same behavior from the verification site that Google links to, so I'm not sure what's going on with Firefox.
Chrome dev tools appear to be correctly reporting SameSite=None.
Scratch that. We discovered some strange behavior with platform authentication and have rolled back. I'll keep you posted!
cade
commented
4 years ago @yvesvanbroekhoven -- I don't love the route we ended up having to take, but we're currently only serving SameSite=None for Chrome 80+, as that is currently the only critical breakage we're facing. You can confirm this behavior in Chrome's beta:
Harvest has required SSL connections and exclusively served Secure, encrypted cookies for quite a long time, so whether or not we serve SameSite=None to older clients in contexts like platform that require None shouldn't have any negative security implications.
We've already migrated many other cookies to Lax where possible across our products without issue. We're going to continue to investigate if we can serve SameSite=None settings for more browsers without affecting authentication and user experience, but things should continue uninterrupted for Chrome 80 come February. In the mean time, we'll be sure to keep an eye out for Firefox or Edge releases that change their defaults as well.
yvesvanbroekhoven
commented
4 years ago Alright @cade, thanks for looking into it.
If I notice issues in Firefox, I'll let you know!
In an upcoming release of Chrome and Firefox, they will prevent cookies without the SameSite setting to be externally accessible.
I tested this with the available browser flags and it seems that this API isn't usable anymore.
Any chance your team is going to fix this anytime soon?
Current cookies
Enable browser flags
Firefox
Chrome
Error after enabling flags
More info
[https://blog.chromium.org/2019/10/developers-get-ready-for-new.html]()