Ready for Chrome 80's [Cookies default to SameSite=Lax] ?

[meishier]

I noticed warnings in my chrome debug console,

A cookie associated with a cross-site resource at http://xxx.xxx.xxx.xxx/ was set 
without the SameSite attribute. A future release of Chrome will only deliver cookies
 with cross-site requests if they are set with SameSite=None and Secure. You can review 
cookies in developer tools under Application>Storage>Cookies and see more details at 
https://www.chromestatus.com/feature/5088147346030592 and 
https://www.chromestatus.com/feature/5633521622188032.

After some digging by google, I tested

1. add cookie header [SameSite=Lax] on server
2. run my cordova android application.
3. my application does not work for authenticated user, because cookie JSessionId is not sent to server any more. (we send cookie to server from local html file's webview by ajax or xhr)

Actually chrome tell us we should set SameSite=None+Secure for cookie in Chrome 80, and that's a solution precisely. But for some reason, we can not do that. According to Apple's WkWebview Bug 198181 - Cookies with SameSite=None or SameSite=invalid treated as Strict , the fix is only for 10.15 and iOS 13 and later ver, and that means, If we set SameSite=None+Secure on server, our iOS application will not work also for iOS 12 and before ver.

Is there any other simple solution to deal with our situation? any suggestions will be greatly appreciated.

ref: https://textslashplain.com/2019/09/30/same-site-cookies-by-default

[breautek]

This sounds like a difficult problem because afaik you can't disable the policy on the android webview.

I'm not sure if the current cordova webview uses the CookieManager class, or if it already does this or not, but maybe using setAcceptThirdPartyCookies will disable the same cookie site policy without having to specify SameSite=None?

[meishier]

@breautek
thanks. From the source SystemCookieManager, CookieManager is still in use, setAcceptThirdPartyCookies is called already.

you're right, seems it's not possible to modify webview's flags either.

[breautek]

I'll add the help wanted tag to this issue. Someone will need to investigate potential solutions. The browsers have been implementing a lot of security features that makes it hard for web apps to run off of the filesystem.

But I'm not entirely confident this is something that can be solved at the client side level. Something like this might require a backend hack to make it send the appropriate header if the request is from chrome only.

[meishier]

I found a way to get through.

get cookie by native http request, and set the cookie(SameSite modified) back to webview.

I did simply tested, using cordova-plugin-advanced-http and cordova-cookie-master, and it does work on android/iOS both with specifying SameSite=Lax.

If there is a way to solve the problem by cordova-android package(such as set config(inject cookie or something else) in config.xml), and that will really be a graceful solution.

I'm not sure cordova-cookie-master will still work or not on chome 80, so I'll test it again after chrome 79 beta's release on googleplay store.

[boberski666]

I found a way to get through.

get cookie by native http request, and set the cookie(SameSite modified) back to webview.

I did simply tested, using cordova-plugin-advanced-http and cordova-cookie-master, and it does work on android/iOS both with specifying SameSite=Lax.

If there is a way to solve the problem by cordova-android package(such as set config(inject cookie or something else) in config.xml), and that will really be a graceful solution.

I'm not sure cordova-cookie-master will still work or not on chome 80, so I'll test it again after chrome 79 beta's release on googleplay store.

Can you give exacly code for this fix?

[boberski666]

@meishier

[Steenkuyl]

Yes I am curious as well. Why do you need both the plug-ins?

[meishier]

@MBoberski
I'm afraid to say I can not do that because of company's network security restrictions.

@Steenkuyl
cordova-plugin-advanced-http is for reading cookie from native-http at login page, cordova-cookie-master is for setting back cookie to webview. And after that, any page can use cookie freely regardless of what SameSite is.

[meishier]

@breautek

good news for cordova android app(webview). The new SameSite behavior will not be enforced on Android Webview until later.

https://www.chromium.org/updates/same-site

Last updated Dec 16, 2019.
The new SameSite behavior will not be enforced on Android Webview until later, though app developers are advised to declare the appropriate SameSite cookie settings for Android WebViews based on versions of Chrome that are compatible with the None value, both for cookies accessed via HTTP(S) headers and via Android WebView's CookieManager API. This does not apply to Chrome browser on Android, which will begin to enforce the new SameSite rules at the same time as the desktop versions of Chrome. The new SameSite behavior will not affect Chrome on iOS.

[breautek]

SameSite will now be enforced on API 31 devices.

Starting in API 31 on Android 12 devices, Google has started enforcing SameSite policies for WebView cookies.

Cordova cannot override this policy.

Personally I don't use cookies so I'm not totally familiar with the SameSite policies but they have a guide that should be able to help. It may involve making changes to your server.

#1417 (comment)

However, Cordova cannot override this policy. May require server changes to satisfy SameSite rules, or you may have to stop using cookies for Cordova-based apps.

For this reason, I'm closing this issue as won't fix.