SameSite attribute not set for cookie when fetching userinfo and keys

[ybhat-guidewire]

We are seeing the following warning in Chrome when using the okta-react library. We know it's when executing the fetch request to the endpoints userinfo and keys

A cookie associated with a cross-site resource at http://<domain>.oktapreview.com/ was set without the SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Our Okta deployment is the latest 2020 version.

[swiftone]

Thanks @ybhat-guidewire - it looks like you are correct, we've made sure the SameSite flag is correctly set, but we've not told the code not to send the cookie, so Chrome continues to give warnings.

Internal ref: OKTA-283807

[mikejuly24]

Is this expected to be fixed in 3.0.1 as mentioned in #354 ? I just tried upgrading to that version and am still seeing the warning pointed out by ybhat-guidewire. I didn't dig too deeply, but see that in the https.js file, when doing httpRequests, there is this line:

withCredentials = options.withCredentials !== false, // default value is true

I think even with the change in #354 , it'll still be including cookies by default? Or am I interpreting this incorrectly?

[swiftone]

@mikejuly24 - You are correct, the fix for this has not yet gone in.

Background: We don't require the cookies to be sent, as they are for the code to reference when the page is redirected back to after remote login. Our code defaults to trying to send the cookies, but Chrome blocks that. It causes no functional problem, but does generate a console warning.

It is on our backlog to fix, but is lower priority as it represents no functional nor security problem.