SameSite=none and insecure http cookies fail to work on Chrome
I'm running my aspnet core application locally on http://localhost:5002 and for some reasons I don't want to use https. It uses OpenIdConnect middleware for authentication and it produces temporary cookie as shown below:
As a result Chrome blocks these cookies because of missing secure flag. From the other hand this request is HTTP (insecure) and it's impossible to mark the cookies secure. The only way I see is to avoid using HTTP and switch to HTTPS which is not a good option for me for local development. Can I still use HTTP + OpenIdConnect middleware + Crome and what is a workaround?
Perhaps this could shed some light- LINK.
From the article
Chrome is changing the default behavior for how cookies will be sent in first and third party contexts. Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax, i.e. they will be restricted to first-party or same-site contexts by default. Cookies that are intended for third-party or cross-site contexts must specify SameSite=None and Secure. Note: this also means cross-site or third-party cookies are restricted to secure / HTTPS connections only.
Since, I am guessing, your auth server is server from another domain its a third-party cookie, so it falls under the new Chrome (>= v80) policies.
The workaround here would be either a downgrade in your Chrome version or use a browser without these restrictions.
- Google Chrome browser in Android 12 emulator doesn't load any webpages (internet is working!)
- Which ChromeDriver version is compatible with which Chrome Browser version?
- Copy an object from the webkit inspector as code
- Remote Debugging for Chrome iOS (and Safari)
- Unable to inspect Android device via Chrome://inspect
- how to programmatically identify latest version of chrome
- What does the argument --virtual-time-budget of Chrome CLI really mean?
- How to get the value of a Google Chrome flag using Javascript
- 100vh height when address bar is shown - Chrome Mobile
- Taking full page screenshot with a Chrome extension
- Image not loading on local site I made
- SSL Localhost Privacy error
- Video auto play is not working in Safari and Chrome desktop browser
- Is there a way to set the Google Chrome's developer tools window to always be on top?
- Origin <origin> is not allowed by Access-Control-Allow-Origin
- Chrome push notification - How to open an URL address after clicking?
- How can I make sure AuthName works in all browsers?
- How can I change the window title of an opened youtube video to include the channel name?
- Why is my localhost self-signed SSL certificate suddenly invalid in Chrome?
- chrome extension - Service worker registration failed - manifest V3
- After Loading Page in Inspect Mode ,Shows No Internet Error.How to resolve this issue?
- Responsive media query not working in Google Chrome
- How to run a web application in Android mobile Chrome browser
- How to permanently exclude localhost from HSTS list in Google Chrome
- How to force JavaScript to deep copy a string?
- How is the missing path attribute of a cookie computed or handled in a Single Page Application?
- How to tell why a cookie is not being sent?
- request.getParameter returning null values in chrome
- How to get rid of "Choose your search engine" dialog in Chrome v.127 on Selenium test run?
- Is there a way to resize a web browser's window so that their dimesions are a specific width and height?