How to solve SameSite attribute?
:1 A cookie associated with a cross-site resource at http://doubleclick.net/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
same for google.com, linkedin, facebook.com, twitter.com. etc
Unable to add 'Samesite' attributes. What will be the best way to get this solve?
The reason why you are getting this warning is because you are using an external resource (like an image). In my case, I copied an image URL/Address online and included it into my project. I didn't save it in a folder, so I got that warning.
The way I solved it is simple: I just said it: download whatever file you are trying to access locally and that warning will disappear.
Hope this helps
Related
For desktop applications there is a firewall and determines which app can connect to the internet.
Of course internet browsers and other internet apps are always unblocked, other way they are useless.
Now we change point of view from OS->APPS and lets look same way at BROWSER->PLUGINS.
Browser is always online and how I obtain something similar to OS firewall but for the browser plugins? How I know which add-on is actually connecting to its developers server and send some data about my browsing acitvity, add-on usage and so on... ?
Read the code
Unfortunately, AFAIK you have to read the code. For example, the extension
https://github.com/m0rtem/CloudFail/ does call home. You can search for "http" in the code.
Inspect the extension
On Firefox you can inspect an extension.
For example, inspect (aka debug) uBlock. You get the full dev tools on the extension's background page. Go to the "network" tab. Now for testing, go to the extension's options. Update your filter lists. Then go back to extension inspector network tab : you see all the remote calls that the extension made, at your request. But you could also see any hidden call.
content security policy
Sending the user's data to a remote server is not the same thing as writing code with poor security practices, exposing the user to malicious code execution from hackers. But still, it's related.
For Firefox, the default CSP is "script-src 'self'; object-src 'self';" https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy.
So you can read the extension's manifest.json, to see if they changed the default policy.
You can also search for "google analytics" in the code.
Now, be aware that on the official stores, every extension's code base is reviewed by Chrome or Mozilla, so the worst practices (like hacking) are forbidden.
https://wiki.mozilla.org/WebExtensions/policy#II.Security.2F_Privacy
We are working on Chrome extensions that
reads cookies from a domain which was set without SameSite attribute
writes cookies to a domain without SameSite attribute
We have added permissions to both the domains in manifest.json
We enabled the following flags in Chrome browser,
SameSite by default cookies
Enable removing SameSite=None cookies
Cookies without SameSite must be secure
Questions
Even after enabling the flags, we are able to read the cookies that were set with following values from other domain. Is that expected and if so why??
without SameSite attribute
with SameSite=strict
Say an extension sets cookies without SameSite attribute in a site with a domain X.com. What happens when the site (X.com) is
consumed via iframe by another extension
consumed via iframe by another site with domain Y.com.
Will the cookie be rendered with the response in both the cases??
Are requests from extensions considered as cross site request??
How does cookies set by extensions in a domain behaves?? Is that similar to what happens when a web site from a different domain sets a cookie??
Does extensions with permissions to a domain in manifest.json be able to read cookies from the other domain irrespective of the SameSite value??
howdy i'm pretty sure this isn't going to work due to the way chrome extensions operate outside the cookie store. It won't be able to read/write those values..
I ran into such a problem.
When I run the application on my laptop (Linux/Ubuntu 18) in the developer console in the Chrome browser, I have this message
A cookie associated with a cross-site resource at
http://pubsub.rtschannel.com/ was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with
cross-site requests if they are set with SameSite=None and Secure.
You can review cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
On another laptop (Linux/Ubuntu 16) in the Chrome browser, when the application is launched locally, there is no such message.
I tried to find at least some information on this subject, but alas I couldn’t. The only thing I could find was the link inside the message that it was a browser bug and in Chrome version number 80 it should be fixed and this setting would be added by default.
Please tell me, does it depend on the browser settings, or can I somehow influence this message programmatically? Can I clean it somehow?
On the project, I use angularjs if this can help.
Thanks.
These warnings are purely informational at the moment and do not affect site functionality. This behaviour will not be enforced until Chrome 80 which is due to hit stable in Feb 2020.
You can simply turn off the messages by setting chrome://flags/#cookie-deprecation-messages to Disabled. However, that is purely affecting the display of the messages.
If the pubsub.rtschannel.com is not your domain, e.g. it's a third-party service you use, then it's that domain that will be responsible for updating the cookies.
If it is your domain, then you need to review the cookie usage and set an appropriate value for the SameSite attribute on the cookie. You can find more context and guidance on https://web.dev/samesite-cookies-explained.
Is there a way in the Chrome Extension API to add an exception URL for 3rd party cookies?
I have looked at content settings and privacy and found nothing. I know I can force allow 3rd party cookies altogether, but that seems invasive to the user.
It's not even possible to do it manually by going to chrome://settings/contentExceptions#cookies
If the "Block third-party cookies" setting is enabled, you cannot add any exception! You can only disable this option and allow all third-party cookies at the same time.
Pretty stupid from Google, I guess they're trying to force users to not block third-party cookies.
I'm always blocking third-party cookies, but because it wasn't working for attachments in gmail (emails are served from mail.google.com and attachements from mail-attachment.googleusercontent.com) I wanted to add those two domains to the exception list but cookies would still remain blocked. Only disabling the "Block third-party cookies" option would allow cookies to be set from third-party domains.
Hope that clears things up. Cheers!
Does the checkmark at the Http column of Chrome devtool's Cookie resource panel indicate a HttpOnly cookie?
I can't find docs that confirm this, though I suspect it is the case. I am trying to verify my app is using HttpOnly for session cookies.
Yes. Enter document.cookie in the console, and you'll see that none of the checked cookies are visible.
HTTP = HttpOnly flag, Secure = secure flag.
Yes. Right click on your page or press F12 button. This will open developers tools window. Go to application tab. It'll show as follow :-
Now, typing document.cookie on the tab, you'll see only csrf token being shown.
To specify session cookies to be httpCookie by default, set 'useHttpOnly' attribute in context.xml in tomcat, for java web application. For more information, refer to http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes
So 2 things .
1) HTTP only cookie this name is a bit misleading as we can send HTTPOnly cookie over HTTPS and it works perfectly fine. Main characteristics of HTTP Only cookie is it can't be accessed using JavaScript . In-fact You can't even manually edit this in Chrome's Application tab.
2) So how you can edit HTTP Only cookie ? In chrome You can use extension to edit cookie while development . In production mode there is no way you can adultrate this without man in the middle attack on HTTP connection.
Today (May 2016), googling around for the same reason, I found this question and this page from developers.google.com explaining:
HTTP: If present, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed.