`SameSite` attribute. Warning Chrome

[ScottAgirs]

In the last couple of days, Chrome has started notifying of deprecation in a "unsafe" cross-origin.

I have not been able to find a solution or what should/could be done here to avoid potential future issues.

Below are a screenshot and a transcript of the error.

 A cookie associated with a cross-site resource at https://stripe.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

[fred-stripe]

Hi @ScottAgirs, thanks for the report! We're already tracking this internally as this warning comes from Stripe.js, not from react-stripe-elements. For now this is a warning and won't affect payments, and we're working on a fix which will eliminate this message and be compatible with Chrome's upcoming cookie-handling changes.

[TheVaporTrail]

@fred-stripe, will you notify developers when this change is ready? How? Thanks! David

[noylev]

I'm also having the same issue -when it would be fixed?

[imamiri]

I'm facing the same issue when the fix will be out?

[oliver-stripe]

@noylev The screenshot you've included is for cookies/resources unrelated to Stripe (looks like they're Google related).

---

There are some cookies that Stripe sets that we are working on adding the SameSite attribute to decrease occurrences of this warning as it pertains to Stripe domains. That said, for nearly all of these cases the default behavior in Chrome 80 will be acceptable and will not break anything Stripe-related, despite being a bit noisy in the mean time.

[rdforte]

has anyone got any updates on this issue? I am having the same problem.

[holographix]

@oliver-stripe did you guys have a time for how long is this fix going to take?
This warning is spreading like a wildfire

[oliver-stripe]

Chrome 80 is set to be released early February, which will contain the new behavior being warned of. We're working through explicitly setting SameSite on various cookies and will have that done before then, but I don't have a concrete timeline yet.

Note that the change in behavior will not be impactful for most of these cookies and will not break any Stripe functionality.

In the mean time, if the warnings are problematic during development, you can also disable them at chrome://flags/#cookie-deprecation-messages.

[casper5822]

With the new Chrome version, it is now an error, not only a warning.

[oliver-stripe]

@casper5822 I couldn't reproduce on Chrome 79. It's still a warning in our tests. Do you have a screenshot? I don't believe it should have changed before Chrome 80 (https://www.chromestatus.com/feature/5088147346030592).

That said, we still intend on having the applicable cookies addressed before Chrome 80 ships (Feb).

[casper5822]

If i use the test key it there is a cors error with Chrome 79. If i use the production key it is a warning

[oliver-stripe]

@casper5822 That sounds like probably a different issue. If you still have issues, please send details to our support and they can help you out! (https://support.stripe.com/)

[gravsten]

We are less than a month away from the Chrome 80 release (in February).
Any news about the aforementioned "fix" being worked on by Stripe ?