Re: New chrome warning about Marketo cookie SameSite and Secure attributes

Muhammad_Ali · ‎10-12-2019

Hi,

I have the Marketo munchkin cookie, as well as Marketo form embeds, installed on my website. I have been noticing this console warning for a while in Chrome regarding its new cookie policy regarding only delivering secure cookies on any website that uses a Marketo form/mkto_trk cookie:

A cookie associated with a cross-site resource at https://app-sjf.marketo.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Since this warning is only applicable to third party cookies, are there any fixes for this planned on the Marketo side?

Thank you.

cc: Sanford Whiteman‌

SanfordWhiteman · ‎10-12-2019

It's harmless -- bringing Chrome in line with what Safari has done for a long time.

View solution in original post

SanfordWhiteman · ‎10-12-2019

It's harmless -- bringing Chrome in line with what Safari has done for a long time.

Muhammad_Ali · ‎10-12-2019

Got it. Thanks for the quick reply Sanford.

Just wanted to confirm and be pro-active about this, to not cause any interruptions in Marketo tracking once this version goes live and wanted to make sure that there's nothing to be fixed/done from either the Website's or Marketo's end.

Vipin_Mp · ‎11-12-2019

Hi Sanford,

I have the same issue for our Marketo Landing page. To solve this we need to add

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

Found this in javascript - SameSite warning Chrome 77 - Stack Overflow

Can you please let me know where I need to put this in Marketo?

Thank you,

Vipin

SanfordWhiteman · ‎11-12-2019

There's no equivalent. The Munchkin cookie can't be HttpOnly.

Joe_Barrett · ‎12-03-2019

If the Marketo cookies are missing an attribute required by Chrome, doesn't that mean once the future Chrome release is out the cookies will NOT be delivered? Shouldn't Marketo add in the samesite attribute to avoid blocking the cookie if Chrome states it is required?

SanfordWhiteman · ‎12-03-2019

It's not simple like that, see my responses at

Joe_Barrett · ‎12-03-2019

Do I have insecure pages on my site? I don't see a solution in that thread.

SanfordWhiteman · ‎12-03-2019

The point I made there is that a minority of Marketo LP domains are secure, so it's not possible to mark the cookies as secure.

NestoJosa · ‎07-27-2021

For Future Googlers

The missing link at the end of @SanfordWhiteman comment ("It's not simple like that, see my responses at") is the following:

https://nation.marketo.com/t5/ideas/update-marketo-cookie-setting-to-not-break-in-chrome-80/idi-p/26...

You can see it for yourself via the browser inspector: there is an empty <a> tag.