Chrome: Warning message - SameSite cookie

Env:
Chrome: Version 77.0.3865.90 (Official Build) (64-bit)
OS: Debian 9 (64-bit)

Description:
Hi, after Chrome update, now we see this warning on the console.
There is a way to active the SameSite attribute when Auth0 instance is created?

A cookie associated with a cross-site resource at http://auth0.com/ was set without the SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

+1, same here. Chrome Version 77.0.3865.90 (Official Build) (64-bit), Ubuntu 18.04 (64-bit)

Hi @andres and @bruno-caravelo,

Thanks for pointing this out. It looks like there are some other users experience it, let me see what I can find out.

Thanks,
Dan

Also having the same issue.

I found out that this warning is also causing tremendous slowness on my app as it seems Chrome is affecting the authentication flow.

I’m having the same issue. My team is new to auth0 and right now (in development) we’re not experiencing any negative effects, just a noisy console. I’m concerned about issues once we deploy.

@ejhalpin @tasktix @bruno-caravelo @andres

Hey everyone, I have an update on the warning.

It is a change to Chrome’s cookie protocol, scheduled to go live with Chrome 80 in Feb 2020. We are aware of the change in policy and are prepared for the Feb release.

Thanks,
Dan

From Chrome:
https://www.chromium.org/updates/same-site

Thanks @dan.woda! Yes, for now it is just a warning, although makes the console quite noisy. Do you have an ETA on the fix for this one?

@andres

I apologize, I don’t have any other information at this time. Filtering the warnings out would be all I can recommend.

I have the same issue and currently in my app I can’t sign in using Chrome Canary. (for standart Chrome it’s fine).

@avernikoz,

This would make sense as canary is likely requiring SameSite cookies, being a pre-beta build of chrome.

If you have trouble in Chrome Canary, the SameSite behavior can be changed back to the old default by setting chrome://flags/#same-site-by-default-cookies to the value “Disabled”.

This flag obviously won’t fix the underlying problem, but if you’re using Canary for development work, it’ll make your site usable again for the time being.

In incognito mode, Chrome Canary will block any third-party cookies regardless of the SameSite attribute. So your company.auth0.com domain must be explicitly whitelisted by adding it to the Allow list at chrome://settings/content/cookies

Thanks for the input @xoob!

Nice, thank you @xoob

I’m also running into login issues with Chrome 79 beta. Disabling cookies-without-same-site-must-be-secure or same-site-by-default-cookies gets around the issue so It would seem auth0 needs to address this before Chrome 80. Chrome 79 goes stable Dec 10.

Just encountered this issue in Chrome Dev. Disabling the same-site default worked. It seems quite a long time to wait for the fix until next year. Any way a fix can be deployed sooner?

I should have an update soon. Thank you for taking the time to reach out on the issue!

Hey all, it looks like this update should be rolling out earlier than I initially thought. I don’t have a hard release date at the moment, but it looks like it should be live soon. We will have some official content on the changes when they rolls out.

If you have any more questions feel free to post them here. Thanks.

We have released a doc on SameSite:

Here is the Auth0 blog post about SameSite.

Interesting reads, thanks!

We are using the @auth0/auth0-spa-js npm package in an Angular application.
Is there anything we need to change to support the new cookie flow?
Except for updating the npm package perhaps.