SameSite Common Warnings

As more and more browsers are adopting the SameSite attribute, browsers have been displaying warnings and other messages to let developers know of the changes and that they should start implementation. Below are some of the popular warning you may run into.


Chrome missing SameSite attribute:

A cookie associated with a cross-site resource at was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application > Storage > Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032

This warning will show up in Chrome devtools if your site does not return the SameSite cookie attribute. If you have not already set it up, you should do it as soon as possible.
To fix this you want your cookies to look as following:

Set-Cookie: color=blue; SameSite=Lax

SameSite=None but missing Secure:

A cookie associated with a cross-site resource at https://example.com was set without the SameSite attribute.

This error will show up if you set the SameSite attribute to None but did not add the Secure flag to the cookie.
To fix this you want your cookies to look as following:

Set-Cookie: color=green; SameSite=None; Secure

Default SameSite:

Some cookies are misusing the “sameSite“ attribute, so it won’t work as expected.

This warning will show up if you do not include the SameSite attribute so some browsers may by default add the SameSite=Lax. You should set the attribute on the server side to fit your needs.