I used Chrome's site audit tool, Lighthouse, and it has found the following issue on my site:

• Issue type: SameSite cookie
• /tr/?id=…(www.facebook)

How can I resolve this issue?

Update

Here is what I get in the Issues panel:

Screenshot

Text

Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute

Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie:

-> Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.

-> Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests.

AFFECTED RESOURCES: 2 cookies: Name Domain & Path _ga .bootstrapcdn/ cppo .facebook/

1 request

?id=383112278961246&ev=fb_page_view&dl=https%3A%2F…rl=&if=false&ts=1621983787255&sw=1920&sh=1080&at=

I used Chrome's site audit tool, Lighthouse, and it has found the following issue on my site:

• Issue type: SameSite cookie
• /tr/?id=…(www.facebook.)

How can I resolve this issue?

Update

Here is what I get in the Issues panel:

Screenshot

Text

Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute

Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie:

-> Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.

-> Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests.

AFFECTED RESOURCES: 2 cookies: Name Domain & Path _ga .bootstrapcdn./ cppo .facebook./

1 request

?id=383112278961246&ev=fb_page_view&dl=https%3A%2F…rl=&if=false&ts=1621983787255&sw=1920&sh=1080&at=

• javascript
• google-chrome
• cookies
• lighthouse
• samesite

• Can you look in the Devtools console and share the error message it's referring to? – person_v1.32 Commented May 25, 2021 at 22:59
• @person_v1.32: thanks, I have updated the question. – Hooman Bahreini Commented May 25, 2021 at 23:15

1 Answer 1

The SameSite cookie attribute essentially tells the browser whether to send the cookie depending on the context of the request. There are three values the SameSite attribute can take: Strict, Lax, and None.

• Strict means that the cookie will be sent on a request only if the user is on the same site as the request.
• Lax means the cookie will be also be sent on top-level navigations; i.e. if the user is navigating to the site from another site.
• None will send the cookie on cross-site requests too. SameSite=None must also be paired with the Secure attribute, which prevents it from being sent over http:.

For more details, see MDN or SameSite cookies explained (web.dev).

So, if the cookie was set by a server you control, you can fix this issue by explicitly setting the SameSite attribute on the Set-Cookie header.

In your case, it looks like the cookies are set by third-party resources (Bootstrap and Facebook). Because of this, I don't think you will have control over the attributes they set on their cookies. You can look into where those requests are ing from and remove those resources if you don't need them (which is good to do regardless). Otherwise, I wouldn't worry about it too much unless it is causing issues with the function of your site.