Chrome says about problem with plugin’s cookie

Chrome says about problem with plugin’s cookie

sebastianslzsebastianslz Posts: 6Questions: 3Answers: 0

Good day!
Thank you for your plugin. I use it for a couple of years, and everything’s work great.

Today i installed the last version, and got a message in Chrome console:

A cookie associated with a cross-site resource at http://datatables.net/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

So, just want you to know, may be you can fix it in the future.
Thank you.

Replies

  • allanallan Posts: 63,540Questions: 1Answers: 10,476 Site admin

    Hi,

    That cookie is created and used by CloudFlare - information about it is available in the documentation. Its not something that is being intentionally created by us and creating is not created by the DataTables software.

    I have an open tech support question with CloudFlare about this at the moment and will post back when I get any updates.

    Allan

  • Seven77Seven77 Posts: 4Questions: 0Answers: 0

    Hello Allan,

    Any updates on this issue?

  • allanallan Posts: 63,540Questions: 1Answers: 10,476 Site admin

    This is the latest I have from CloudFlare support:

    We are looking into samesite in an internal ticket. Happy to keep you updated on that.

    That was 10th October. I've not heard more since and I've been seeing that warning in my own console, so no change I guess unfortunately.

    Any updates I do get, I'll post here.

    Allan

  • Seven77Seven77 Posts: 4Questions: 0Answers: 0

    Thanks!

  • mguinnessmguinness Posts: 85Questions: 12Answers: 1

    Yes, it's the __cfduid cookie being set by Cloudflare for cdn.datatables.com. If you're an enterprise customer you can disable that cookie from being sent.

    Currently it's only a warning in Chrome, but cookie will default to SameSite=Lax in version 80 when released February 4, 2020.

    SameSite Updates

  • Seven77Seven77 Posts: 4Questions: 0Answers: 0

    And what would defaulting to "SameSite=Lax" mean in practical terms? Would something break?

  • mguinnessmguinness Posts: 85Questions: 12Answers: 1
    edited October 2019

    There's no impact to DataTables only Cloudflare. The tracking cookie used by them will still be returned to them if it's a GET request but not a POST. See Using the Same-Site Cookie Attribute to Prevent CSRF Attacks for more details.

  • allanallan Posts: 63,540Questions: 1Answers: 10,476 Site admin

    Very interesting - thanks for the links @mguinness. We are enterprise CloudFlare customers due to the amount of bandwidth our CDN uses, so I could turn it off, but the __cfduid cookie is used to help with caching and attack prevention.

    Allan

  • mguinnessmguinness Posts: 85Questions: 12Answers: 1

    @Seven77 You can test the impact of the change beforehand to ensure nothing breaks in Chrome.

    Go to chrome://flags and enable #same-site-by-default-cookies. Restart the browser for the changes to take effect.

  • Seven77Seven77 Posts: 4Questions: 0Answers: 0

    Thanks. I tried it and it doesn't seem to have any obvious effect.

  • allanallan Posts: 63,540Questions: 1Answers: 10,476 Site admin

    Hi all,

    A little update on this from CloudFlare support:

    our engineering team had added the SameSite attribute in the __cfduid cookie and released this changes.

    So you should no longer be seeing the warning message in the console.

    Allan

  • maeser@gmail.commaeser@gmail.com Posts: 5Questions: 1Answers: 0

    Hi Allan,

    Looks like this same thing will need to be done with the Editor plugin as well. I get this currently for pages that I have the Editor code running:
    A cookie associated with a cross-site resource at http://editor.datatables.net/ was set without the "SameSite" attribute

  • allanallan Posts: 63,540Questions: 1Answers: 10,476 Site admin

    Editor doesn't have any resources that should be getting loaded remotely from editor.datatables.net. Are you able to give me a link to the page showing that error so I can see what is happening please?

    Thanks,
    Allan

  • nickpapoutsisnickpapoutsis Posts: 10Questions: 2Answers: 0

    Hi Allan,

    I'm always getting the A cookie associated with a cross-site resource at http://live.datatables.net/ was set without the SameSite attribute. and sometimes the A cookie associated with a cross-site resource at http://datatables.net/ was set without the SameSite attribute. when I'm using

    <link rel="stylesheet" type="text/css" href="https://cdn.datatables.net/v/bs/dt-1.10.20/b-1.6.1/b-colvis-1.6.1/r-2.2.3/sc-2.0.1/sl-1.3.1/datatables.min.css"/>
    <script type="text/javascript" src="https://cdn.datatables.net/v/bs/dt-1.10.20/b-1.6.1/b-colvis-1.6.1/r-2.2.3/sc-2.0.1/sl-1.3.1/datatables.min.js"></script>
    
  • allanallan Posts: 63,540Questions: 1Answers: 10,476 Site admin

    I suspect that the CloudFlare solution is taking a while to roll out. I'll check in with them.

    Allan

  • nickpapoutsisnickpapoutsis Posts: 10Questions: 2Answers: 0

    Looks like it's been resolved, don't see them any more.
    Thanks!

  • rhfrhf Posts: 2Questions: 0Answers: 0

    I am having exactly this same problem and am concerned about the possible effects when Chrome makes the change.
    I have tried using the latest versions and am still getting the 'cross-site' warning.
    Has the problem really been resolved?

  • nickpapoutsisnickpapoutsis Posts: 10Questions: 2Answers: 0

    @rhf It's not really an issue but it has been resolved, I don't get them any more.

  • rhfrhf Posts: 2Questions: 0Answers: 0

    Thanks, nickpapoutsis, but I am still getting the warning.

  • nickpapoutsisnickpapoutsis Posts: 10Questions: 2Answers: 0

    @rhf Try clearing cookies and local/session storage.

  • LukasLLukasL Posts: 26Questions: 10Answers: 0
    edited September 2020

    @allan Any updates on this? I still get the warning. I tried to clear cookies and local/session storage as @nickpapoutsis suggested, but when I refresh the page it's still comes back. Has this really been fixed yet? I'm using datatables version 1.10.20, if it matters.

  • allanallan Posts: 63,540Questions: 1Answers: 10,476 Site admin

    Unfortunately it doesn't look like CloudFlare have completed their changes needed for this yet. DataTables itself doesn't use any cookies - the error is coming from the CloudFlare cookie used to help improve the CDN caching.

    To side step the problem, you could host the DataTables code on your own server.

    Allan

This discussion has been closed.