Closed mrksbnch closed 5 months ago
Hi @mrksbnch,
Change
SameSite
for all cookies toLax
SameSite=Lax
cookies are not sent in cross-site contexts. If you need to access a cookie in a cross-site context, the cookie must be SameSite=None
.
@cfredric Ok, thanks. Then I incorrectly assumed that the Storage Access API changes this behavior. Will SameSite=None
still be supported even after the announced third-party cookie changes in Chrome?
Yes. The changes in Chrome will make third-party cookies (i.e. SameSite=None
cookies in a cross-site context) largely unavailable by default, but it will still be possible to access them via the Storage Access API.
If you'd like to test out Chrome's upcoming cookie changes, you can do so using the flag listed here: https://developers.google.com/privacy-sandbox/3pcd/prepare/test-for-breakage
Ok, thanks a lot for the clarification. I'll then continue using SameSite=None
(but request access to the Storage Access API first). I will give this a test using the Chrome flag and will close this ticket.
I have an application that can be embedded to other websites inside an iframe. To allow access to (auth) cookies (only the ones that the application could also access as a top level site) inside an iframe, the cookie
SameSite
is currently set toNone
. All cookies are only accessed on the server side and areHttpOnly
cookies.Since Chrome will stop support for third-party cookies, I was doing some tests with the Storage Access API and changed the following things in my application:
SameSite
for all cookies toLax
I expected that after granting access to the Storage API, I can now access these cookies inside the iframe on the server side. However, when I inspect the cookie header of the request, none of these cookies are sent.
Is this the expected behavior? If yes, are there any other ways for case like mine to access cookies inside an iframe on the server side (cookie header)?