Browser vendors like Mozilla or Google have introduced new default values for
sameSite attribute when setting browser cookies . While this change is
great for preventing third-party tracking through cookies, it can make a
developer’s life quite frustrating when wanting to debug a local front end
pointing to a remote server.
Especially, when Chrome and Firefox give confusing or no warnings at all. Here’s an example of Chrome complaining:
In Firefox, there’ll likely be a small warning in the console:
Some cookies are misusing the “SameSite“ attribute, so it won’t work as expected
For me the problem was the following: I had a staging server running online. It contained sample data that I preferred using to test my front end over a local backend server.
There’s a similar problem that developers run into with this type of setup: CORS. I usually encounter it either when:
- I host front end and back end on different domains
- I spin up a local front end development server and connect it to a backend running online.
That problem, I tend to prefer solving it by downloading a browser plugin that
temporarily disabled CORS. The recent
sameSite cookie attribute change,
however, is different in that it’s recent. I only found limited information
about bypassing it online. There are no browser plugins yet either. Still, it
can be easily fixed by modifying some settings in your browser.
Disabling sameSite policy in Google Chrome
- Navigate to
- Set “SameSite by default cookies”, “Enable removing SameSite=None
cookies”, “Cookies without SameSite must be secure” to
- Make sure to restart Chrome.
When trying your
Set-Cookie request, the yellow overlay in the
request inspection tab should now be gone and your cookies should show up in
the “Application” tab.
Disabling sameSite policy in Mozilla Firefox Developer Edition
about:config and make sure you have the following settings
Issues with blocked
SameSite cookies in local development environments can be
fixed by temporarily disabling sameSite policies in Firefox and Chrome. To
learn more about the
sameSite cookie attribute, check
sameSite cookies on