Find the cookie that causes Chrome's SameSite warning
As some of you know, Chrome will start using a new SameSite cookie policy this month (https://web.dev/samesite-cookies-explained/ and https://www.chromium.org/updates/same-site).
We are using Auth0 for our App and have seen this SameCookie warning in Chrome's console since the end of last year:
Now since introduction of the new policy is getting closer, I tried to find the offending cookie using the Application view in Chrome's developer tools. This is what is shows:
As you can see, there is no entry for Secure or SameSize for any cookie.
So I enabled the new policy to see what will change. This can be done in chrome://flags
After these changes I see a message in the console, telling me that a cookie was blocked.
But the Application view in Chrome's developer tools shows exactly the same cookies as before.
Also, I went through each entry in the developer tools Network view. There is no Cookie tab for any of the entries.
This is very frustrating, as I do not know if thee blocked cookie is relevant for the functioning of our application.
Is there a way to find out which cookie was blocked? Can't Chrome just mention the cookie in the warning that it writes into the console?
We've put together a more in-depth debugging guide here: https://www.chromium.org/updates/same-site/test-debug
As a tl;dr
- In the Network panel, select a request, go to the Cookies sub-tab, check the "show filtered out request cookies", and you can see each cookie along with the ones that were not included
- Capture a NetLog dump from Chrome and you can examine this in detail for the specific blocking events.
- Where to store the refresh token on the Client?
- Setting cookie from java spring boot rest API to angular
- Correct way to delete cookies server-side
- Browser ignoring Set-Cookie
- How to Properly Set Up Auth Middleware in Nuxt 3 with Node.js Backend?
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- How do I store a cookie recording if a user clicked a button, using JavaScript?
- Can using access token alone prevent CSRF attack, since browser prevents accessing cookies of another site?
- How does Double Submit Cookie Pattern Prevent against CSRF attacks?
- Curl cookie authentication
- Set-Cookies Header not setting the cookie
- Why CSRF token should be in meta tag and in cookie?
- I can't receive `httponly` cookie on `localhost` HTTPS back end
- How to get cookie value in expressjs
- Cookie with Max-Age = 0 and Expire = session survived after HTTP redirect?
- Sending custom cookies (and viewing the ones set naturally) with Perl's WWW::Mechanize
- Cookies headers are present but Cookies are not stored in browser
- Django HTTP response always sets `sessionid` cookie and session data do not persist
- How to delete a cookie in FastHTML?
- How to disable cookies in Django manually
- How to delete cookie with Django in Docker?
- Unable to set/get/delete cookies in Next.js 15 route handlers using the Cookies API?
- How to bypass SameSite cookie restriction in Microsoft Edge during local development (HTTP) so browser can accept cookie send from backend
- Set-cookie isn't working with React and Django
- (Safari Only) Axios request does not send cookies to Node.js/Express REST API
- React/Express set-cookie not working across different subdomains
- Blazor Custom AuthenticationStateProvider Not Setting Cookies or Authorizing Pages
- "Remember me" feature for login in TikiWiki site not working
- Set-Cookie in Server Action doesn't work with path /auth
- Cookies work great on localhost but does not work on VPS