Hi, I use Auth0 but I am not a web security expert. I use the latest Auth0 libraries and the sameSite warning is there, even if I also use what is essentially an adaptation of your example Java application.
I attach below all the warnings which I get now.
Would it be possible to update the app, or alternately to say in simple words what to modify, with example JS or Java or web.xml or server.xml code and not necessarily detailed diagrams of security protocols to study. Unless necessary, I would not want to know the intricacies of internet cookies just because Google is about to push some change, also because as a non-web security expert, I might miss something and produce an inferior solution.
I attach all the warnings which I get now.
A cookie associated with a cross-site resource at was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .
2reqwest.js:226 GET https://dev-.auth0.com/user/ssodata 404
getRequest @ reqwest.js:226
init @ reqwest.js:365
Reqwest @ reqwest.js:235
reqwest @ reqwest.js:429
Auth0.getSSOData @ index.js:1695
Auth0Lock.initialize @ index.js:670
onoptionsready @ index.js:576
binded @ index.js:12
done @ index.js:191
binded @ index.js:12
g @ events.js:169
EventEmitter.emit @ events.js:77
OptionsManager.state @ index.js:175
OptionsManager._onclientloaded @ index.js:260
binded @ index.js:12
(anonymous) @ index.js:148
g @ events.js:169
EventEmitter.emit @ events.js:99
global.window.Auth0.setClient @ index.js:189
(anonymous) @ .js?:1
index.jsp:1 Access to XMLHttpRequest at 'https://dev-.auth0.com/user/ssodata’ from origin ‘https://***’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.