8

I load YouTube videos in iframes on my website using Laravel 5.8.17. Peeking in the console I'm getting this warning:

A cookie associated with a cross-site resource at http://youtube.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I set my 'samesite' session.php to this now:

'same_site' => "lax", // was null before

But I'm still getting the warnings. How do I fix this properly?

Ansjovis86
  • 1,506
  • 5
  • 17
  • 48
  • I think they changed something in Chrome, check this discussion https://support.google.com/chrome/thread/16654793?hl=en – CREM Oct 21 '19 at 15:54

1 Answers1

13

For any of these warnings, if you are not responsible for the domain then you are not responsible for updating the cookies. The YouTube team will be responsible for updating the relevant code that sets the SameSite attributes for cookies from youtube.com.

At this point, the warnings are purely informational and are not impacting functionality. Enforcing this behaviour in stable Chrome is not scheduled until M80, currently targeted for Feb 2020.

rowan_m
  • 2,893
  • 15
  • 18
  • And due to Covid19 a temporary rolllback https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html – rhand Apr 11 '20 at 07:14
  • FYI, there is an issue filed with YouTube about this at https://issuetracker.google.com/issues/151754736 - subscribe there for updates, although there hasn't been a peep from the YouTube team so far. Also, if you don't care about users being able to connect with their YouTube account through your embed, you can simply replace youtube.com with youtube-nocookie.com and the error will go away. – Codiak Aug 10 '20 at 21:19