Upcoming Browser Behavior Changes: What Developers Need to Know

Learn about upcoming changes to browser cookie behavior that may make your web applications incompatible.

Read on :cookie:

Brought to you by Filip Skokan :man_technologist:t2:

2 Likes

What do you think about browser behavior changes? Are you getting ready?

1 Like

Ramiro, I think that this is by far the easiest to digest article on this topic I’ve come across in our mitigation of the SameSite Doomsday. The high level approach that is included with the usage of dual cookies is brilliant in its elegance and simplicity while still providing 100% browser compatibility coverage.

In the spirit of helping folks out who are also facing this issue internally, I’d also propose another mechanism for implementing Auth0’s dual cookie solution: using a proxy to inject and then coalesce cookies. I’ve written up a blog post of how we implemented the solution for our application in IIS: Adventures in Single-Sign-On: SameSite Doomsday – <CharlieDigital/>

My hope is that this information finds its audience before folks actually run into issues in production.

Cheers!

Any new updates on this issue? Now we are on Chrome 86 and Google sign-in in our app seems to work without any problem or any update to our implementation or google oauth library. However, our app cannot use it on Safari 14 (Chrome, Firefox and Edge on Mac and Windows do not have any problem.) On most other sites google sign-in works on Safari. Where should I look to fix the problem with Safari? Should I assume we are out of the woods with Chrome, FF and Edge?

Reviving this thread due to the recent Issues now shown in Chrome related to Auth0.

Third-party cookie will be blocked. Learn more in the Issues tab
Cookies with the SameSite=None; Secure and not Partitioned attributes that operate in cross-site contexts are third-party cookies. In future Chrome versions, reading third-party cookies will be blocked. This behavior protects user data from cross-site tracking.
Please refer to the article linked to learn more about preparing your site to avoid potential breakage.

(You can view these warnings against an Auth0 sample application for simplicity)

Is there any approach being designed to handle the blocking of third-party cookies?

According to Google’s phaseout timeline it could be upon on us within the next 6 months!