AnsweredAssumed Answered

New chrome warning about Marketo cookie SameSite and Secure attributes

Question asked by Muhammad Ali on Oct 12, 2019
Latest reply on Dec 3, 2019 by Sanford Whiteman

Like • Show 0 Likes0
Comment • 8

Hi,

I have the Marketo munchkin cookie, as well as Marketo form embeds, installed on my website. I have been noticing this console warning for a while in Chrome regarding its new cookie policy regarding only delivering secure cookies on any website that uses a Marketo form/mkto_trk cookie:

A cookie associated with a cross-site resource at https://app-sjf.marketo.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Since this warning is only applicable to third party cookies, are there any fixes for this planned on the Marketo side?

Thank you.

cc: Sanford Whiteman

Sanford Whiteman Oct 12, 2019 11:02 AM

Correct Answer

It's harmless -- bringing Chrome in line with what Safari has done for a long time.

See the reply in context

No one else had this question

Outcomes

Sanford Whiteman Oct 12, 2019 11:02 AM

It's harmless -- bringing Chrome in line with what Safari has done for a long time.

Actions

Muhammad Ali @ Sanford Whiteman on Oct 12, 2019 11:26 AM

Got it. Thanks for the quick reply Sanford.

Just wanted to confirm and be pro-active about this, to not cause any interruptions in Marketo tracking once this version goes live and wanted to make sure that there's nothing to be fixed/done from either the Website's or Marketo's end.

Actions

Vipin Mp @ Sanford Whiteman on Nov 12, 2019 11:42 PM

Hi Sanford,

I have the same issue for our Marketo Landing page. To solve this we need to add

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

Found this in javascript - SameSite warning Chrome 77 - Stack Overflow

Can you please let me know where I need to put this in Marketo?

Thank you,

Vipin

Actions

Sanford Whiteman @ Vipin Mp on Nov 12, 2019 11:49 PM

There's no equivalent. The Munchkin cookie can't be HttpOnly.

Actions

Joe Barrett @ Sanford Whiteman on Dec 3, 2019 10:25 AM

If the Marketo cookies are missing an attribute required by Chrome, doesn't that mean once the future Chrome release is out the cookies will NOT be delivered? Shouldn't Marketo add in the samesite attribute to avoid blocking the cookie if Chrome states it is required?

Actions

Sanford Whiteman @ Joe Barrett on Dec 3, 2019 10:29 AM

It's not simple like that, see my responses at Update Marketo cookie setting to not break in Chrome 80

Actions

Joe Barrett @ Sanford Whiteman on Dec 3, 2019 10:46 AM

Do I have insecure pages on my site? I don't see a solution in that thread.

Actions

Sanford Whiteman @ Joe Barrett on Dec 3, 2019 3:28 PM

The point I made there is that a minority of Marketo LP domains are secure, so it's not possible to mark the cookies as secure.

Actions

8 Replies

Sanford Whiteman Oct 12, 2019 11:02 AM
Unmark Correct
Correct Answer
It's harmless -- bringing Chrome in line with what Safari has done for a long time.
Like • Show 2 Likes2
Actions
- Muhammad Ali @ Sanford Whiteman on Oct 12, 2019 11:26 AM
  Mark Correct
  Correct Answer
  Got it. Thanks for the quick reply Sanford.
  
  Just wanted to confirm and be pro-active about this, to not cause any interruptions in Marketo tracking once this version goes live and wanted to make sure that there's nothing to be fixed/done from either the Website's or Marketo's end.
  Like • Show 0 Likes0
  Actions
- Vipin Mp @ Sanford Whiteman on Nov 12, 2019 11:42 PM
  Mark Correct
  Correct Answer
  Hi Sanford,
  
  I have the same issue for our Marketo Landing page. To solve this we need to add
  response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
  Found this in javascript - SameSite warning Chrome 77 - Stack Overflow
  
  Can you please let me know where I need to put this in Marketo?
  
  Thank you,
  Vipin
  Like • Show 0 Likes0
  Actions
  - Sanford Whiteman @ Vipin Mp on Nov 12, 2019 11:49 PM
    Mark Correct
    Correct Answer
    There's no equivalent. The Munchkin cookie can't be HttpOnly.
    Like • Show 1 Like1
    Actions
- Joe Barrett @ Sanford Whiteman on Dec 3, 2019 10:25 AM
  Mark Correct
  Correct Answer
  If the Marketo cookies are missing an attribute required by Chrome, doesn't that mean once the future Chrome release is out the cookies will NOT be delivered? Shouldn't Marketo add in the samesite attribute to avoid blocking the cookie if Chrome states it is required?
  Like • Show 0 Likes0
  Actions
  - Sanford Whiteman @ Joe Barrett on Dec 3, 2019 10:29 AM
    Mark Correct
    Correct Answer
    It's not simple like that, see my responses at Update Marketo cookie setting to not break in Chrome 80
    Like • Show 0 Likes0
    Actions
    - Joe Barrett @ Sanford Whiteman on Dec 3, 2019 10:46 AM
      Mark Correct
      Correct Answer
      Do I have insecure pages on my site? I don't see a solution in that thread.
      Like • Show 0 Likes0
      Actions
      - Sanford Whiteman @ Joe Barrett on Dec 3, 2019 3:28 PM
        Mark Correct
        Correct Answer
        The point I made there is that a minority of Marketo LP domains are secure, so it's not possible to mark the cookies as secure.
        Like • Show 0 Likes0
        Actions

New chrome warning about Marketo cookie SameSite and Secure attributes

Outcomes

Related Content

Recommended Content