Google Chrome warning about Cloudflare cookie

Hello, our site provides a widget that other sites embed (like YouTube’s embed). User log in to it so we have cross-site cookies. Everything works great, but recently Chrome has been adding this warning in the console:

“A cookie associated with a cross-site resource at http://ourdomain.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.”

All of our cookies are set correctly, however there is a remaining cookie called “__cfduid” and that seems to be put by Cloudflare, which causes this warning to persist.

We are concerned that our service might stop working completely, when Google decides to enforce this policy just because of this remaining cookie.

What shall we do?

Thanks!

7 Likes

Did you find a solution to this problem? I am facing the same problem with an embed.

I believe this thread is something @cloonan should take a look and raise internally. You could help creating a ticket with support and posting here the number so that he can assign it to the correct queue.

3 Likes

I have contacted support about this, ticket # is 1770990

2 Likes

There is a bug on Chrome that generates this console warning.

https://bugs.chromium.org/p/chromium/issues/detail?id=954551

https://www.chromestatus.com/feature/5633521622188032

1 Like

My understanding is that this is intentional and not a bug. They currently give a warning, but this will become an error at some later version of Chrome.

Related issue https://bugs.webkit.org/show_bug.cgi?id=198181

Also only affects http sites.
Is your site not secure(http)?

Our site is fully https, all our cookies have both the SameSite=None attribute and the Secure attribute, so it seems we’re fully compliant to this Chrome requirement.

Google Official: this needs to be solved by February 2020 (source: https://www.chromium.org/updates/same-site)

@cloonan, this looks like a major issue concerning all sites that run cross-site embeds (i.e. Intercom have just acknowledged this problem too). Would you please help to investigate this internally? I contacted support about this, ticket # is 1770990

2 Likes

Thank you, @david33, I’m digging internally and see your ticket. I’ll add myself to that to keep track of progress. I’ve seen a couple of similar issues, one related to browser insights (workaround is disable browser insights) and one indicating a resolution but no supporting link. Will continue to monitor & dig. If you receive an automated reply to your ticket, would you reply back indicating it’s still an issue? That’ll keep the ticket open for an engineer to review.

3 Likes

Thank you @cloonan for your attention. We believe this is a real issue that concerns a lot of Cloudflare customers.

We developers have already solved it simply by changing how our cookies are set, and the only thing remaining is Cloudflare’s cookie which, like for all of us, needs to be compliant with Google Chrome’s new security policy that is currently just a warning but will become real and enforced starting February 2020.

4 Likes

Hi @cloonan — to be clear, Cloudflare’s own cookies need SameSite=None, and the support document on Cloudflare cookies should be updated to address this browser vendor change. There is no workaround aside from Cloudflare rolling out the necessary update to its cookies (or Enterprise customers disabling Cloudflare’s cookie(s)).

Please escalate this issue internally. Cloudflare’s own cookies, which support its security features, will start functionally failing when Chrome 79 Beta is released next week. This means some applications will break for legitimate users because embedded Cloudflare-served resources won’t load with the _cfduid cookie being rejected by browsers.

2 Likes

Hi David,

Might this help?

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Thanks @carmi

Where/how would we use this?

We’re on a nginx server.

I don’t have any experience with nginx, so I’m sorry if this is unhelpful. I found this article with some instructions.

This is solely Cloudflare’s problem to fix, unfortunately. Changing your origin server’s cookies will not change Cloudflare’s cookies. Again, only Cloudflare can fix its _cfduid cookie, etc. as I pointed out here.

2 Likes

Under what circumstances will that happen? I turned cookies off temporarily on my browser and this didn’t seem to have any effect.

I am guessing that this cookie matters when a user receives a challenge, so Cloudflares remembers those who passed it.

@bertap is right. For security reasons Google Chrome requires cookies to work a certain way, period. We all need to comply, including (and perhaps especially) Cloudflare.

We customers cannot risk that our webapps stop working all of a sudden when Chrome’s new version ships. Unless this is fixed soon, we customers will have no choice but to leave Cloudflare.

From what I understand Chrome will not set those specific cookies, so the only issue would be that Cloudflare’s cookie would stop being set. It wouldn’t stop any web app from working.

1 Like

@matteo Maybe, maybe not, and it is precisely this uncertainty that needs to be resolved.

Sorry to say that either Cloudflare fixes this soon, or we’re gone.