Chrome says about problem with plugin’s cookie

sebastianslz

Good day!
Thank you for your plugin. I use it for a couple of years, and everything’s work great.

Today i installed the last version, and got a message in Chrome console:

A cookie associated with a cross-site resource at http://datatables.net/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

So, just want you to know, may be you can fix it in the future.
Thank you.

allan

Hi,

That cookie is created and used by CloudFlare - information about it is available in the documentation. Its not something that is being intentionally created by us and creating is not created by the DataTables software.

I have an open tech support question with CloudFlare about this at the moment and will post back when I get any updates.

Allan

Seven77

Hello Allan,

Any updates on this issue?

allan

This is the latest I have from CloudFlare support:

We are looking into samesite in an internal ticket. Happy to keep you updated on that.

That was 10th October. I've not heard more since and I've been seeing that warning in my own console, so no change I guess unfortunately.

Any updates I do get, I'll post here.

Allan

Seven77

Thanks!

mguinness

Yes, it's the __cfduid cookie being set by Cloudflare for cdn.datatables.com. If you're an enterprise customer you can disable that cookie from being sent.

Currently it's only a warning in Chrome, but cookie will default to SameSite=Lax in version 80 when released February 4, 2020.

SameSite Updates

Seven77

And what would defaulting to "SameSite=Lax" mean in practical terms? Would something break?

mguinness

There's no impact to DataTables only Cloudflare. The tracking cookie used by them will still be returned to them if it's a GET request but not a POST. See Using the Same-Site Cookie Attribute to Prevent CSRF Attacks for more details.

allan

Very interesting - thanks for the links @mguinness. We are enterprise CloudFlare customers due to the amount of bandwidth our CDN uses, so I could turn it off, but the __cfduid cookie is used to help with caching and attack prevention.

Allan

mguinness

@Seven77 You can test the impact of the change beforehand to ensure nothing breaks in Chrome.

Go to chrome://flags and enable #same-site-by-default-cookies. Restart the browser for the changes to take effect.

Seven77

Thanks. I tried it and it doesn't seem to have any obvious effect.

allan

Hi all,

A little update on this from CloudFlare support:

our engineering team had added the SameSite attribute in the __cfduid cookie and released this changes.

So you should no longer be seeing the warning message in the console.

Allan

maeser@gmail.com

Hi Allan,

Looks like this same thing will need to be done with the Editor plugin as well. I get this currently for pages that I have the Editor code running:
A cookie associated with a cross-site resource at http://editor.datatables.net/ was set without the "SameSite" attribute

allan

Editor doesn't have any resources that should be getting loaded remotely from editor.datatables.net. Are you able to give me a link to the page showing that error so I can see what is happening please?

Thanks,
Allan

nickpapoutsis

Hi Allan,

I'm always getting the A cookie associated with a cross-site resource at http://live.datatables.net/ was set without the SameSite attribute. and sometimes the A cookie associated with a cross-site resource at http://datatables.net/ was set without the SameSite attribute. when I'm using

<link rel="stylesheet" type="text/css" href="https://cdn.datatables.net/v/bs/dt-1.10.20/b-1.6.1/b-colvis-1.6.1/r-2.2.3/sc-2.0.1/sl-1.3.1/datatables.min.css"/>
<script type="text/javascript" src="https://cdn.datatables.net/v/bs/dt-1.10.20/b-1.6.1/b-colvis-1.6.1/r-2.2.3/sc-2.0.1/sl-1.3.1/datatables.min.js"></script>

allan

I suspect that the CloudFlare solution is taking a while to roll out. I'll check in with them.

Allan

nickpapoutsis

Looks like it's been resolved, don't see them any more.
Thanks!

rhf

I am having exactly this same problem and am concerned about the possible effects when Chrome makes the change.
I have tried using the latest versions and am still getting the 'cross-site' warning.
Has the problem really been resolved?

nickpapoutsis

@rhf It's not really an issue but it has been resolved, I don't get them any more.

rhf

Thanks, nickpapoutsis, but I am still getting the warning.

nickpapoutsis

@rhf Try clearing cookies and local/session storage.

LukasL

@allan Any updates on this? I still get the warning. I tried to clear cookies and local/session storage as @nickpapoutsis suggested, but when I refresh the page it's still comes back. Has this really been fixed yet? I'm using datatables version 1.10.20, if it matters.

allan

Unfortunately it doesn't look like CloudFlare have completed their changes needed for this yet. DataTables itself doesn't use any cookies - the error is coming from the CloudFlare cookie used to help improve the CDN caching.

To side step the problem, you could host the DataTables code on your own server.

Allan