0

I am trying to embed my angular application to another site through iframe. In my angular application I am setting cookies and so when I try to embed the angular application to my other site, the Devtools shows an issue which tells me, that samesite=none wasn't set so the default samesite=lax is being used, which prevents the angular application to set cookies.

Afterwards I tried to set in the response Header the entry "set-cookie: samesite=none; secure", but it didn't work. As you can see on the screenshot below, the browser still uses "same-site=lax".

This issue happens on Chrome and Edge(Chromium) but not in Firefox.

Questions:

  • I want to know if I am using the same-site setting incorrectly?
  • Why does the browser show me this message although I use "samesite=none;secure"?

Screenshot:

enter image description here

Yusuf Ipek
  • 166
  • 1
  • 11

1 Answers1

1

Problem

You're misunderstanding Set-Cookie's syntax, and you've mistakenly omitted the cookie's name and value. Check out the MDN page on the topic:

A cookie definition begins with a name-value pair.

Accordingly, when the browser receives a response with the following header,

set-cookie: samesite=none; secure

it creates (or updates) a Secure cookie whose name is samesite and whose value is none. Because the SameSite attribute isn't specified and because Chromium now defaults to Lax for the SameSite attribute, the resulting cookie is effectively marked SameSite=Lax by your browser.

Solution

To fix this, you must choose a name and a value for your cookie and you must specify the cookie's name and value before any other cookie attributes:

Set-Cookie: <cookie-name>=<cookie-value>; SameSite=None; Secure
jub0bs
  • 60,866
  • 25
  • 183
  • 186