Chrome says about problem with plugin’s cookie
Chrome says about problem with plugin’s cookie
sebastianslz
Posts: 6Questions: 3Answers: 0
Good day!
Thank you for your plugin. I use it for a couple of years, and everything’s work great.
Today i installed the last version, and got a message in Chrome console:
A cookie associated with a cross-site resource at http://datatables.net/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
So, just want you to know, may be you can fix it in the future.
Thank you.
This discussion has been closed.
Replies
Hi,
That cookie is created and used by CloudFlare - information about it is available in the documentation. Its not something that is being intentionally created by us and creating is not created by the DataTables software.
I have an open tech support question with CloudFlare about this at the moment and will post back when I get any updates.
Allan
Hello Allan,
Any updates on this issue?
This is the latest I have from CloudFlare support:
That was 10th October. I've not heard more since and I've been seeing that warning in my own console, so no change I guess unfortunately.
Any updates I do get, I'll post here.
Allan
Thanks!
Yes, it's the
__cfduidcookie being set by Cloudflare forcdn.datatables.com. If you're an enterprise customer you can disable that cookie from being sent.Currently it's only a warning in Chrome, but cookie will default to
SameSite=Laxin version 80 when released February 4, 2020.SameSite Updates
And what would defaulting to "SameSite=Lax" mean in practical terms? Would something break?
There's no impact to DataTables only Cloudflare. The tracking cookie used by them will still be returned to them if it's a GET request but not a POST. See Using the Same-Site Cookie Attribute to Prevent CSRF Attacks for more details.
Very interesting - thanks for the links @mguinness. We are enterprise CloudFlare customers due to the amount of bandwidth our CDN uses, so I could turn it off, but the __cfduid cookie is used to help with caching and attack prevention.
Allan
@Seven77 You can test the impact of the change beforehand to ensure nothing breaks in Chrome.
Thanks. I tried it and it doesn't seem to have any obvious effect.
Hi all,
A little update on this from CloudFlare support:
So you should no longer be seeing the warning message in the console.
Allan
Hi Allan,
Looks like this same thing will need to be done with the Editor plugin as well. I get this currently for pages that I have the Editor code running:
A cookie associated with a cross-site resource at http://editor.datatables.net/ was set without the "SameSite" attributeEditor doesn't have any resources that should be getting loaded remotely from editor.datatables.net. Are you able to give me a link to the page showing that error so I can see what is happening please?
Thanks,
Allan
Hi Allan,
I'm always getting the A cookie associated with a cross-site resource at http://live.datatables.net/ was set without the
SameSiteattribute. and sometimes the A cookie associated with a cross-site resource at http://datatables.net/ was set without theSameSiteattribute. when I'm usingI suspect that the CloudFlare solution is taking a while to roll out. I'll check in with them.
Allan
Looks like it's been resolved, don't see them any more.
Thanks!
I am having exactly this same problem and am concerned about the possible effects when Chrome makes the change.
I have tried using the latest versions and am still getting the 'cross-site' warning.
Has the problem really been resolved?
@rhf It's not really an issue but it has been resolved, I don't get them any more.
Thanks, nickpapoutsis, but I am still getting the warning.
@rhf Try clearing cookies and local/session storage.
@allan Any updates on this? I still get the warning. I tried to clear cookies and local/session storage as @nickpapoutsis suggested, but when I refresh the page it's still comes back. Has this really been fixed yet? I'm using datatables version 1.10.20, if it matters.
Unfortunately it doesn't look like CloudFlare have completed their changes needed for this yet. DataTables itself doesn't use any cookies - the error is coming from the CloudFlare cookie used to help improve the CDN caching.
To side step the problem, you could host the DataTables code on your own server.
Allan