Chrome 80 POST from Flash: no cookies, Origin null (not cross-site)

Question

Users have started having problems with Flash-based traffic under Chrome 80: Cookies are not being sent with POST requests.

I'm aware of the SameSite updates, but our traffic is all same-domain, so I assumed this wouldn't affect us.

Debugging the request headers from the debug tools:

Here's what I note:

In an older version of Chrome 73:

• there are no Sec-Fetch-* headers
• Origin header is always correct
• cookies are sent properly

In Chrome 80, GET requests:

• Origin is correct, and cookies are sent
• now has Sec-Fetch-* headers
• the Sec-Fetch-Site cookie says cross-site -- Is this right? This is determined by the browser, correct? Why would Chrome label the traffic as cross-site? - the request URL is the same as my page, same as window.location.hostname.

In Chrome 80, POST requests:

• Sec-Fetch-* cookies same as GET
• the Origin header is null - wait, why? This also is assigned by the browser, right? Why null?
• cookies are not sent

This makes absolutely no sense to me. It's always worked, and we don't use multiple domains, and our cookies are secure and httponly. Can someone help me understand:

1. why Chrome 80 would label my requests as Sec-Fetch-Site: cross-site?
2. why Chrome 80 would send Origin: null and no cookies for POSTs?

Answer 1

I am experiencing the same problem. For the post request from Flash, sometimes the request doesn't contain cookies at all, sometimes it only contains one cookie key (I have multiple keys in my cookie). It looks like a bug in Chrome 80, unless they did it on purpose b/c they want to kill Flash for a long time.