I am using the Okta-Signin-Widget and am getting the following warning in Chrome:
“A cookie associated with a cross-site resource at https://[REMOVED]-admin.oktapreview.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.”
I am using @okta/okta-signin-widget (3.4.2) and Chrome 78.0.3904.108.
Anyone know why these attributes are not set, or how to set them?
Thank you for the reply. I am currently not using iOS12.* or iOS devices. If this is still the cause of the problem I am seeing is there something I need to do to get rid of this Chrome warning?
Still an issue with sign-in widget 4.4.3. The SameSite attribute is set to Lax. I don’t know if this is because Okta Auth is explicitly setting it or it is not being set which defaults to SameSite=Lax
According to issue generated by Chrome
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.
So after some further research I think that this is being handled in the okta-auth-js layer and the reason it is Lax is because I am running http on localhost. I have not tested yet on https but it seems as if it is working as designed.