Discussion on: Dealing with Chrome SameSite cookie attribute in Shopify Apps made with PHP/Laravel

[Daniel P 🇨🇦]

Very timely post :) Just wanted to note some of my findings.

Chrome 80, as it's being updated across our computers, likely does not break your site/app.

Due to the safari bug, they put in an exception

Chrome will make an exception for cookies set without a SameSite attribute less than 2 minutes ago.

(link: chromestatus.com/feature/508814734...)

However, Safari seems to have been broken for a while now, so a fix should be implemented quickly.

(link: bugs.webkit.org/show_bug.cgi?id=19...)

Their solution uses an Apache regex to solve the problem, but the solution is not up to date with latest Safari.

On a side note, if you've using an SPA and JWTs (no cookies) this is a non-issue.

[Rowan Merewood]

That exception is temporary and will go away at some point. The specific situation that covers is for top-level, cross-site POST requests that require cookies. These should be set with SameSite=None; Secure as a permanent fix, not rely on the exception. This was added to account for a number of individual single sign-on implementations using this pattern to receive a CSRF token in their cookie - it is not related to the Safari issue.

The Safari issue is due to their implementation matching a much earlier version of the draft. As a result, if you need the cookie to work in all browsers you can use the double cookie solution proposed in web.dev/samesite-cookie-recipes/#h...

[Zubair Mohsin]

Thank you Rowan for your input on this issue 🙏🏼

[Zubair Mohsin]

Hi Daniel, thank you for sharing your findings.

SameSite flag is not being enforced even in Chrome 80 until 17th February, 2020. ( I am not sure about the date ) as a relaxation.

If you want to test, go to chrome://flags and enable all three SameSite flags. You will see the errors mentioned in Shopify's tutorial.

All we can do, is to be prepared, right? ;)

And yeah, you are right about SPA. 👍

Let me know your thoughts! Thanks.