Google Chrome warning about Cloudflare cookie

Related issue https://bugs.webkit.org/show_bug.cgi?id=198181

Also only affects http sites.
Is your site not secure(http)?

Our site is fully https, all our cookies have both the SameSite=None attribute and the Secure attribute, so it seems we’re fully compliant to this Chrome requirement.

Google Official: this needs to be solved by February 2020 (source: https://www.chromium.org/updates/same-site)

@cloonan, this looks like a major issue concerning all sites that run cross-site embeds (i.e. Intercom have just acknowledged this problem too). Would you please help to investigate this internally? I contacted support about this, ticket # is 1770990

2 Likes

Thank you, @david33, I’m digging internally and see your ticket. I’ll add myself to that to keep track of progress. I’ve seen a couple of similar issues, one related to browser insights (workaround is disable browser insights) and one indicating a resolution but no supporting link. Will continue to monitor & dig. If you receive an automated reply to your ticket, would you reply back indicating it’s still an issue? That’ll keep the ticket open for an engineer to review.

3 Likes

Thank you @cloonan for your attention. We believe this is a real issue that concerns a lot of Cloudflare customers.

We developers have already solved it simply by changing how our cookies are set, and the only thing remaining is Cloudflare’s cookie which, like for all of us, needs to be compliant with Google Chrome’s new security policy that is currently just a warning but will become real and enforced starting February 2020.

4 Likes

Hi @cloonan — to be clear, Cloudflare’s own cookies need SameSite=None, and the support document on Cloudflare cookies should be updated to address this browser vendor change. There is no workaround aside from Cloudflare rolling out the necessary update to its cookies (or Enterprise customers disabling Cloudflare’s cookie(s)).

Please escalate this issue internally. Cloudflare’s own cookies, which support its security features, will start functionally failing when Chrome 79 Beta is released next week. This means some applications will break for legitimate users because embedded Cloudflare-served resources won’t load with the _cfduid cookie being rejected by browsers.

2 Likes

Hi David,

Might this help?

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Thanks @carmi

Where/how would we use this?

We’re on a nginx server.

I don’t have any experience with nginx, so I’m sorry if this is unhelpful. I found this article with some instructions.

This is solely Cloudflare’s problem to fix, unfortunately. Changing your origin server’s cookies will not change Cloudflare’s cookies. Again, only Cloudflare can fix its _cfduid cookie, etc. as I pointed out here.

3 Likes

Under what circumstances will that happen? I turned cookies off temporarily on my browser and this didn’t seem to have any effect.

I am guessing that this cookie matters when a user receives a challenge, so Cloudflares remembers those who passed it.

@bertap is right. For security reasons Google Chrome requires cookies to work a certain way, period. We all need to comply, including (and perhaps especially) Cloudflare.

We customers cannot risk that our webapps stop working all of a sudden when Chrome’s new version ships. Unless this is fixed soon, we customers will have no choice but to leave Cloudflare.

From what I understand Chrome will not set those specific cookies, so the only issue would be that Cloudflare’s cookie would stop being set. It wouldn’t stop any web app from working.

1 Like

@matteo Maybe, maybe not, and it is precisely this uncertainty that needs to be resolved.

Sorry to say that either Cloudflare fixes this soon, or we’re gone.

Chrome itself solves the issue. Read this again. Cloudflare will fix this before it will become an issue, for sure. I don’t feel the need for being so overly dramatic over something that is in the not near future.

2 Likes

@matteo You are wrong, but I won’t waste my time arguing with you, simply because I don’t recall asking for your judgment, which I now have zero trust in following.

Well, that escalated quickly. Please, do as you wish.

Maybe a noob question… but why would you want to a cookie to set a HTTP header flag with HTTPOnly? Isn’t it best to always use HTTPS?

@getinthere007 This isn’t the topic of this thread. We are fully HTTPS already

Think noone will care about :man_shrugging:

1 Like