A cookie associated with a cross-site resource at http://auth0.com/ was set without the `SameSite` attribute

Hi @michael_hindley,

The cookies concerned come from auth0.com and is a server concern. There is nothing that the SDK can do to change this.

We have already changed the server side to set the samesite attribute accordingly - if you inspect the network tab, you should see the auth0 cookie come down with samesite set to None in Chrome. I can verify that I’m getting the warning too, yet cookies seem to be set OK and everything still works. What we can’t understand is why Chrome is still showing the warning but everything still seems to work.

If you are still concerned, please try the following:

  • Inspect the actual cookie attributes and verify whether the samesite attribute is being set correctly
  • Enable the samesite flags in Chrome, or download the Canary release of Chrome (which has the flags set by default) and verify that calls to getTokenSilently() still work

If you are concerned that something isn’t working properly as it should, let me know.

2 Likes