I am attempting to follow the new guidelines for Cross Site Cookies and passing the SameSite=None; Secure attributes with cookies as I attempt to set them in browser Javascript code.
We are sending our SSO/Authorization javascript bundle from a separate host and domain that is supposed to set a cookie in the browser for storing the sessionToken. This cookie is then expected to be used on a browser refresh to maintain the users session.
Since updating to Chrome 80 the cookie is no longer saved in the browser due to the following error:
A cookie associated with a cross-site resource at <sso_domain> was set without the
`SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with
cross-site requests if they are set with `SameSite=None` and `Secure`. You can review
cookies in developer tools under Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
We are using js-cookie to set the cookie which uses the browsers document.cookie to actually create it: https://github.com/js-cookie/js-cookie/blob/master/src/api.mjs#L38
Initially we were not passing the SameSite attribute through the attributes param (we were passing Secure), but even after updating our call to js-cookie and seeing the appropriate stringifiedAttributes in Chrome Inspector (both Secure and SameSite=None):
SameSite cookie attribute in Chrome Inspector
I am still seeing the error in the chrome console: error in console
Operating System: OSX
Chrome version: Version 80.0.3987.149 (Official Build) (64-bit)
