Cookie warning in Chrome

Hi Intercom.

I started getting this warning in Chrome today:

A cookie associated with a cross-site resource at http://intercom.io/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

So how can we remove this warning - can I configure the SameSite attribute somewhere?

I am running Intercom in an SPA.

Thanks in advance,

2 Likes

Hey there,

It looks like Chrome made a recent change where this warning pops up everywhere. To clarify the warning is not isolated to Intercom. You should also be able to see it on various websites:
https://www.google.com/
https://www.facebook.com/

Our team will need to investigate this warning a bit more but at this time there shouldn’t be any functional issues. No action should needed on your side currently to address this specific instance of this warning message.

Hi @daniel.logue - thanks.

This was the response I was expecting from you - thanks :nerd_face: But please don’t forget this issue, even though it’s not causing problems right now. It’s frustrating to look at in the console as a developer :sunglasses:

Just wanted to update, with a link to the Chrome documentation of SameSite updates.

So the changes to the protocol are scheduled to go live with Chrome 80 in Feb 2020

Just wanted to flag this as an issue that is still prevalent and needs to be corrected ASAP. Beyond just being a nuisance for development it’s obviously got the potential to cause some major issues in a little over 2 months.

Hey @Kent_Safranski :wave:

Just a heads up that we ended up pushing a fix for this a few weeks ago. Any new cookies that are created shouldn’t have this problem. If you open up your site in an Incognito window or clear your current cookies then you shouldn’t run into this warning.

:+1: thanks for the quick reply, seems good in incognito.

@adam.lamar Its easy to clear cookies on developers’ computers, but what about our customers out there in the wild? will cookies expire sometime soon for them automatically? or do we need to take some action in our code for that to happen?

NB. it also seems fine in incognito for me. but clearing cookies in non-incognito mode does not help. any ideas why?

@Kent_Safranski can you plz check if clearing cookies works for you?

@Dmytro_Gokun ran a test before my original reply and clearing the cookies for my browser worked for me.

Visitor/Lead cookies have an expiration date of 9 months:

Calling our JavaScript shutdown method should cause the cookies to expire:


image

Not 100% sure what the impact will be if someone has the old cookie come February but for the timeline Chrome gave everyone for this I’d image they’re not expecting everyone to immediately delete their old cookies.

Just going to https://www.google.com/ and I’m seeing cookies that still have the SameSite warning and are set to expire in 2021.

1 Like

@adam.lamar I’ve tried clearing cached pages as well as cookies and that helped. Looks like some intercom script was cached and produced old-style cookies, hence the warning. In incognito mode cache is disabled and that’s why there was no problem there.

Anyways, i think Intercom needs to test all this scenarios carefully. Otherwise, many users are under the risk of having Intercom broken when February arrives and Chrome does not play well.

1 Like

@adam.lamar Okay. So, it’s helped initially. But now the warning is back. Looks like Intercom’s JS script is cached on a CDN or something like that. And most likely that old script produces ‘bad’ cookie.

Here’s what i see (while cache is disabled in my browser):

  1. Initial request to https ://widget.intercom.io/widget/{AppId} returns 302 with:

age: 218
content-length: 0
date: Tue, 03 Dec 2019 08:54:15 GMT
location: https ://js.intercomcdn.com/shim.latest.js
server: AmazonS3
status: 302
via: 1.1 d70252a9a5db94138543e9a401c1f69b.cloudfront.net (CloudFront)
x-amz-cf-id: uufT2-4bWEdtaRHirmWDq7x3IwYKJlrdIzZ-QIvn3V93vE7ZaVq3QQ==
x-amz-cf-pop: BRU50-C1
x-cache: Hit from cloudfront

  1. The following request to https ://js.intercomcdn.com/shim.latest.js returns 200 with:

accept-ranges: bytes
age: 125
cache-control: max-age=300, s-maxage=300, public
content-encoding: gzip
content-length: 2781
content-type: application/javascript; charset=UTF-8
date: Fri, 06 Dec 2019 08:06:57 GMT
etag: “580c6fd92486423262ccc4eeddd6cff0”
last-modified: Thu, 05 Dec 2019 01:26:32 GMT
server: AmazonS3
status: 200
via: 1.1 93ca7f89577bcc406284a7bbde241b21.cloudfront.net (CloudFront)
x-amz-cf-id: ze0DTSdYdT3LkQyZ_FVQsSbLGd4YsMtgnGOFXLhVXJ0FT-qNW-MQxQ==
x-amz-cf-pop: WAW50-C1
x-amz-server-side-encryption: AES256
x-cache: Hit from cloudfront

  1. Requests to https ://js.intercomcdn.com/frame.4006c444.js and https ://js.intercomcdn.com/vendor.f4b42991.js

  2. Cookie warning appears in the console.

So, something is clearly wrong here and Intercom component still produces ‘bad’ cookies even after the browser’s cache have been busted and disabled altogether. Please investigate.

We’re still seeing this issue too.

Confirmed via chrome://flags/#same-site-by-default-cookies that Intercom breaks with the future defaults.

Please help!