Chrome cookie samesite attribute warnings

ben_a
Rookie Contributor
ben_a

I'm seeing Chrome console messages concerning a lot of the cookies injected by my Tealium pixels.

For example,:

(index):1 A cookie associated with a cross-site resource at http://doubleclick.net/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Is there any action I need to take in Tealium to resolve these warnings? It appears these will break when Chrome v80 is released (if I'm reading everything correctly)

1 REPLY 1

Chrome cookie samesite attribute warnings

Tealium Employee

Here are two good (and entertaining) resources on this topic.  It's entertaining because it is the Chrome developers having a friendly discussion with Safari developers.  The Chrome team is asking for a Safari fix in how it works with SameSite.  The doubleclick.net group may be waiting for this fix (or waiting until the last minute) to change how their server responds.

https://bugs.webkit.org/show_bug.cgi?id=198181

https://support.google.com/chrome/thread/16654793?hl=en

Because the doubleclick.net domain is owned by Google, you would expect them to flip the switches to update the SameSite response before they release their updated Chrome browser.  (This is also the perspective of one person in the second link above.)

I have a blog on this topic that shows a specific example of what will happen when the Chrome browser is updated next year. 

https://tealium.com/blog/uncategorized/chromes-samesite-feature-updates-could-be-more-significant-th...

I think the most important action you can take now is work with your Enterprise data collection vendors and ask how to CNAME (make 1st party) their data collection endpoint.  This is not possible for all vendors.  For other vendors (Google domains such as doubleclick.net), it is likely just a matter of "wait and see."