Google Chrome warning about Cloudflare cookie

I think, @biz3, the implications are:

  1. Blocking __cfduid, Cloudflare can’t get visitors behavior, so some Cloudflare tools and statistics, like “unique visitors”, would be limited.

  2. Blocking __cflb, load balancing with session affinity only will work if checked “By Cloudflare cookie and Client IP fallback”, but the distribution on nodes will be less efficient.

These warnings are still an issue for shopify embedded apps,which use an iframe.

they will all get these warnings in console, and shopify apps team contacted me that my apps would be removed if my app cookies arent updated (although my apps cookies are already updated, just not the cloudflare cookies)

@vf1 is the issue resolved as i’m facing the same issue with issue with __cfduid set to SameSite=Lax

same concern !!

The warning showed up last month and we spent weeks to change our code to make sure the samesite attribute is set on our cookie. But this cfduid cookie keeps showing us. If we enable the samesite flag on chrome then it will block all connection. It is frusting that has taken cloudflare so long to find a solution.

  1. set-cookie:

__cfduid=d833a96c69dd216c71bb871f5e2ac83af1584274294; expires=Tue, 14-Apr-20 12:11:34 GMT; path=/;; HttpOnly; SameSite=Lax; Secure

I am seeing the following error message in Chrome 80.0.

"A cookie associated with a cross-site resource at was set without the “SameSite” attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if hey are set with “SameSite=None” and “Secure”.

I believe the cookie is called “geoip”.

How do I resolve this? Is there a setting somewhere to add these attribuets?

Cross-Site requests cannot use SameSite cookies, this is why hey are termed SameSite. As for Chrome’s (IMO) absurd use of SameSite=None, that is the equivalent of not having a SameSite attribute in your Set-Cookie header at all. There’s a reason SameSite cookies exist - security (and privacy). Using iFrames to embed 3rd party content into your site is also a security risk and something that could be avoided. I’m surprised the 3rd party content in question allows itself to be embedded in other sites via iFrames. They need to lock down their security headers. And to anyone concerned with “warnings” in the Chrome dev panel, take them with a grain of salt unless your objectives aren’t able to be met due to the “warnings”.

Additionally, in case you want to play with a Worker script, you can always set an additional cookie such as that shown in the included screenshot,

Note that this does not remove CloudFlare’s Cooke as the header in question is a “Forbidden Response Header” and thus is not modifiable programmatically. But it does append the additional Set-Cookie header to CloudFlare’s and thus may help you to achieve your ends.

    addEventListener("fetch", event => {
    async function fetchAndReplace(request) {
    const response = await fetch(request);
    let type = response.headers.get("Content-Type") || "";
    if (!type.startsWith("text/")) {
    return response;
    let newHeaders = new Headers(response.headers);
    newHeaders.set("Set-Cookie", "__cookie=chocolate-chip;; path=/; HttpOnly");

  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: newHeaders
1 Like

Hi Cloudflare Community,

We also faced the @biz3 mentioned issue, We have an iframe from one domain (managed by cloudflare) being embedded into a different domain. We are seeing the same issue where _cfduid is being set to SameSite=Lax in Chorme Version 80.0.3987.163 (Official Build) (64-bit)

set-cookie:__cfduid=db066531e134c78a937569a011ac877691585940071; expires=Sun, 03-May-20 18:54:31 GMT; path=/;; HttpOnly; SameSite=Lax

Our site is not functioning correctly due to the SameSite=Lax, We have tested like bypass the Cloudflare in /etc/hosts, after that our site is working fine. So we confirmed Cloudflare cookie __cfduid SameSite=Lax is the issue.

Please fix it asap.


I’m having a weird behavior in Chrome when embedding a cross-domain site managed by CF in an iframe. Both sites are mine, however _cfduid SameSite=Lax cookie is causing the content in the iframe to be unclickable.

For some reason, Chrome seems to not apply the device DPI to the website. Visual content is normal, but actual functional (clickable) screen is only around 25% of it.
This happens only on mobile phones as far as I tested it.

Adding a couple of great recent resources to this thread:

As you read the first article, keep in mind this detail from the second article:

Depending on your Always Use HTTPs configuration, the _cfduid cookie will be created either as secure or non-secure.