search

mapbox / mapbox-gl-js

Interactive, thoroughly customizable maps in the browser, powered by vector tiles and WebGL
https://docs.mapbox.com/mapbox-gl-js/
Other
11.16k stars 2.21k forks source link

A cookie associated with a cross-site resource at http://mapbox.com/ was set without the `SameSite` attribute. #9404

Closed rafalolszewski94 closed 4 years ago

rafalolszewski94 commented 4 years ago

mapbox-gl-js version: 1.8.1

browser: Version 80.0.3987.132 (Official Build) (64-bit) macOS Catalina 10.15.3 (19D76)

Steps to Trigger Behavior

  1. Use Vue with https://soal.github.io/vue-mapbox/guide/ - but I think it's optional since it's using mapbox-gl underneath.
  2. Run it on production website with real domain.
  3. Console should give warning which blocks display of map (see below)

A cookie associated with a cross-site resource at http://mapbox.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Link to Demonstration

-

Expected Behavior

Display a map in production

Actual Behavior

Throws warning in console about SameSite attribute cookie and prevents from displaying map.

sgolbabaei commented 4 years ago

Thanks for opening this issue, @rafalolszewski94. Would you please provide an example that triggers this console message or point me to a page that you have observed this error? We recommend using https://jsbin.com. To my knowledge, none of the requests made from GL-JS to mapbox should attempt to set a cookie and should not break as a result of chrome's enforcement of the sameSite guidelines. But we can certainly double check that assumption.

rafalolszewski94 commented 4 years ago

You can see it here https://dominikkolasa.pl/

VictorBaudot commented 4 years ago

I just noticed the same warning today on my Reactjs webapp, appearing on every page on refresh so I guess it comes from one of those two css files: <link href="https://api.tiles.mapbox.com/mapbox-gl-js/v1.4.1/mapbox-gl.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="https://api.mapbox.com/mapbox-gl-js/plugins/mapbox-gl-geocoder/v4.5.0/mapbox-gl-geocoder.css" type="text/css" />

rafalolszewski94 commented 4 years ago

Is there any investigation going on this case or is it forgotten ?

asheemmamoowala commented 4 years ago

This is a warning that only occurs for on browsers where someone has visited and/or signed into https://www.mapbox.com, and not for other users. This can be confirmed by visiting the link in https://github.com/mapbox/mapbox-gl-js/issues/9404#issuecomment-597810206 with an incognito browser or from a Chrome browser that has not visited or logged into https://www.mapbox.com.

Closing here as there is no impact to end users viewing a gl-js map, and there is nothing actionable for this library.

rafalolszewski94 commented 4 years ago

We've changed map to Google embed, that's why it's working now.

Not visiting mapbox.com is not a solution for end users IMHO. Most of them probably won't visit it, but what if some did?

On Mon, Mar 16, 2020, 08:00 Asheem Mamoowala notifications@github.com wrote:

This is a warning that only occurs for on browsers where someone has visited and/or signed into https://www.mapbox.com, and not for other users. This can be confirmed by visiting the link in #9404 (comment) https://github.com/mapbox/mapbox-gl-js/issues/9404#issuecomment-597810206 with an incognito browser or from a Chrome browser that has not visited or logged into https://www.mapbox.com.

Closing here as there is no impact to end users viewing a gl-js map, and there is nothing actionable for this library.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mapbox/mapbox-gl-js/issues/9404#issuecomment-599374704, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJBLIBHY2XLQ4GTJ6337EQDRHXE7PANCNFSM4LFTGKZQ .

teropa commented 4 years ago

Agreed - relying on users not visiting mapbox.com and saying if they do there's nothing to be done is not really a solution. Cookies on mapbox.com should be structured so that no such problems occur.

euangordon commented 2 years ago

It would be nice if this was fixed. I get what you are saying about don't visit mapbox.com and you won't see the error, but surely there is something better that can be done.... How many developer hours have been wasted looking into this issue? From a developer perspective this is really not ideal.