Now that chrome 80 has implemented the samesite cookie enforcement - is there a way to turn that off?
You can disable this behaviour via chrome://flags. Specifically, you can enter these two into your location bar:
chrome://flags/#same-site-by-default-cookies
chrome://flags/#cookies-without-same-site-must-be-secure
Set both to "Disabled".
However, while this might be useful for dealing with sites that still need to update, I would not expect this to be a long term solution.
Related
I am trying to load a page as an iframe. It loads correct on Firefox but the request fails on chrome.
JSESSIONID=.......; path=/idp; HttpOnly
Chrome rejects the request by avoiding to set cookie or something similar. I already tried it with an unsecure chrome but still issue exist.
A warning on Firefox:
Cookie “_idp_authn_lc_key” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”.
Also I changed chrome settings to allow cookies from 3rd party. I don't have any extensions on chrome (such as adblock or similar extensions).
The main issue seems to be the default value for samesite on chrome, which is Lax as a default when it is not available, but currently it is none on firefox.
Anybody has an idea how can I change the default on chrome?
We have web application with an iFrame, which needs a cookie to access our server. We have set this cookie with SameSite=None;Secure value, but the Chrome browser still filter out this cookie.
Filtered out cookie list:
The third cookie in this picture is filtered out. I thought cookies with "SameSite=None;Secure" should be send with request. What did I miss?
Check https://samesite-sandbox.glitch.me to see if your browser is enforcing the new defaults. If it's all green ✔, then it is. If there is any red or orange ✘ then something is affecting how cookies are set.
Check you do not have the setting enabled to block third-party cookies, e.g. go to chrome://settings/content/cookies and ensure "Block third-party cookies" is off.
Extensions may also affect cookies. Try testing in an incognito window or a fresh Chrome profile with no extensions installed.
I am sending a response and setting a maxAge for cookie as -1.All browsers except Chrome delete my cookie once browser is closed.
Chrome browser shows -
But still cookie does not get deleted when I close the browser.How to delete a cookie on chrome?Or is there any robust way which will work on all the browsers?
Likely to be one of these problems:
Chrome is still running in the background even though you closed the browser, so the session did not clear up.
One of the many bugs[1] relating to session cookie deletion problem in chrome.
[1] https://groups.google.com/a/chromium.org/forum/#!searchin/chromium-bugs/session$20cookies$20not$20deleted
As per spec, not setting max-age and expires directives causes browsers to treat your cookie as a session cookie. cookie.setMaxAge(-1) is doing the right thing internally if you say it works on all other browsers except chrome, though you can try setting a cookie without max-age and expires i.e., to have your http header field like this:
Set-Cookie: test=2015; Path=/; Domain=.example.
I believe the robust solution is to go by the spec. Do not bother about setting expires and max-age values, if you'd want a strict session cookie. We, then, leave it upto the browsers to respect the spec.
my problem is that I am using the canvas .toDataURL() method to display a preview of an image on Chrome and Firefox but that is causing a warning to appear because the site is over a SSL connection.
I get the following warning message when I display the image using toDataURL():
The page at ... displayed insecure content from ....
This only happens in Chrome since chrome has that Lock next to secure web pages:
Which causes the Green Lock on the address bar to change state to a warning state saying that there are resources on this page that are not secure.
Is this an expected behavior for toDataURL()?
I don't see why it would be unsecure since I am not fetching any data over an HTTP connection or even fetching any data at all since it is all done via JavaScript.
But I am probably wrong, please correct me.
Is there a different way for me to make sure I am securing this content? Or to not cause the warning to occur? (And I do need to use the .toDataURL() method?)
Open the Developer Tools console in each browser and look for the exact URL that they're claiming is insecure. It would be very surprising to learn that either browser has such a bug. IE7 and below have this bug, but they don't support DATA URLs at all.
If you're displaying the image from an unsecure location (file://) you can't move it to a secure context (https://) without running into errors. This might be causing the browser to treat it as insecure.
Recommended reading:
SECURITY_ERR: DOM Exception 18 on using getImageData in a Chrome Extension
HTML5 Canvas - How does the origin-clean flag get set to false?
Does Chrome's Developer Tools have an option to disable cache as firebug does?
If so would someone be so kind as to point me towards it?
In Issue 8742 in the Chromium issue tracker a comment has been added just some hours ago:
There is now a checkbox for disabling cache in settings.
So there is hope that the feature to disable cache will finally make its way into Chrome. In the meantime, I put into my development server's Apache config:
Header set Cache-Control "no-cache"
Guess that should do the trick.
Update: In Chrome 15's Developer Tools settings (cogwheel in lower right hand corner) there is an option Network / Disable cache. Also you can clear the cache easily by right clicking in the network tab and selecting Clear browser cache.