Closed mrksbnch closed 5 months ago
cfredric
commented
5 months ago Hi @mrksbnch,
Change
SameSitefor all cookies toLax
SameSite=Lax cookies are not sent in cross-site contexts. If you need to access a cookie in a cross-site context, the cookie must be SameSite=None.
mrksbnch
commented
5 months ago @cfredric Ok, thanks. Then I incorrectly assumed that the Storage Access API changes this behavior. Will SameSite=None still be supported even after the announced third-party cookie changes in Chrome?
cfredric
commented
5 months ago Yes. The changes in Chrome will make third-party cookies (i.e. SameSite=None cookies in a cross-site context) largely unavailable by default, but it will still be possible to access them via the Storage Access API.
If you'd like to test out Chrome's upcoming cookie changes, you can do so using the flag listed here: https://developers.google.com/privacy-sandbox/3pcd/prepare/test-for-breakage
mrksbnch
commented
5 months ago Ok, thanks a lot for the clarification. I'll then continue using SameSite=None (but request access to the Storage Access API first). I will give this a test using the Chrome flag and will close this ticket.
I have an application that can be embedded to other websites inside an iframe. To allow access to (auth) cookies (only the ones that the application could also access as a top level site) inside an iframe, the cookie
SameSiteis currently set toNone. All cookies are only accessed on the server side and areHttpOnlycookies.Since Chrome will stop support for third-party cookies, I was doing some tests with the Storage Access API and changed the following things in my application:
SameSitefor all cookies toLaxI expected that after granting access to the Storage API, I can now access these cookies inside the iframe on the server side. However, when I inspect the cookie header of the request, none of these cookies are sent.
Is this the expected behavior? If yes, are there any other ways for case like mine to access cookies inside an iframe on the server side (cookie header)?