olemartin
commented
4 years ago Any progress on this?
Open rishipr opened 4 years ago
olemartin
commented
4 years ago Any progress on this?
Microserf
commented
4 years ago I too have been seeing the same warning in the browser console. I'm having trouble understanding what the issue is and where the solution lies. I find that Chrome warning message to be horrendously unclear.
Here are some observations I've made, and hopefully they help...
I'm not sure that the problem lies in the react-facebook-login component. The only reference I see for "cookie" in the code is simply a true/false boolean value that gets passed directly to the Facebook SDK, which takes care of the actual login. The default is false, so unless you've gone out of your way to set that to true in your code, I don't think this is
I don't get the warnings at all in incognito mode, no matter what I try. I get them consistently in regular (non-incognito) mode.
The critical difference between the two modes would seem to be the presence of pre-existing cookies, as well as local and session storage. I used the Forget-Me-Now extension to remove all traces of both my local development server (https://my-app.local/) as well as Facebook, but this makes no difference. Even with a blank slate, I consistently see the warnings in non-Incognito mode.
I found that there are two hidden columns in the Network panel, in the Chrome Dev Tools: "Cookies" and "Set Cookies". Since the Chrome warning message is very opaque, I thought I would try to go through all the cookies that are sent/set in the login process (where the errors are generated).
4.1. The warning message in the console claims that there were cookies set without the SameSite attribute. In contrast, according to the network panel, not a single request sets cookies, so that's curious...
4.2. Only two requests were sending cookies, both of them against the www.facebook.com domain. Upon examining the cookies sent with both requests, I see that Chrome thinks that every single one has the "SameSite" attribute set to "None". Again, this contradicts the warning message in the console. Furthermore, I don't believe you can set any kind of SameSite= attribute on a request cookie, so this doesn't seem to be a useful avenue for debugging.
This is all I've found for now. The most curious part of this problem to me is how I never get the problem in Incognito mode, whereas I always get it in regular browsing mode, even if I try to simulate Incognito conditions using Forget-Me-Now...
If anyone else finds anything, please share...
When authenticating a user with the package, I receive the following in Chrome Dev tools. Not sure if the cookie is being set on the
react-facebook-loginside, but thought I'd flag it just in case. If so, the cookie must be set with SameSite=None and Secure moving forward.A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.