google has started deprecating Third party cookies (samesite=none essentially) in 2024. You might be among the 1% experiment. that might explain why it's working anymore. I wrote about this here and left resources too. medium.com/@hnasr/google-is-deprecating-3rd-party-cookies-d987603607a7
Yeah, I just noticed. I have a web application in nextjs and django. It's working fine on Firefox and GNOME Web (a.k.a. Safari lol), but it's authentication stopped working on Chromium (cookies aren't being set). Thanks man!
Hussein go bless for explaining this feature so nicely. Even after reading/watching 10's of video - the concept was not clear. Seriously you did a great job explaining it so easily with a practical example
This is how you explain things!!!!! Thank you so much 🙏🙏🙏. Google Chrome team should use this as their office video because their video is just a crap.
Thanks a lot brother, I recently made a new website and the front end and backend are hosted on two different services, I was breaking my head over why the browser was not sending cookies. This explains why. I guess I have to use some other way, since google deprecated cross site cookies
Thank brother I really appreciate your work and get a lot of experience from you, my question is isn't cookies shloud just work for the same domain?، I mean it shouldn't be exists if you open a new tab for another domain
Still don't know why there's cookie for the second site referencing image from the first one when both are open in chrome. But when one is open in chrome & 2nd in fox it doesn't seem to work.
@hnasr usually when you visit a site, the server will send the cookie to the browser right. But in the video, you have mentioned several times that "Browser" will not send the cookie if it's cross site. Can you explain on this please ?
Please some one clear my doubt, The image of one domain is getting loaded on another domain if the attribute Same-site has the value None right but what about the SOP (Same Origin Policy) ain't it gonna block the responses from cross domain ?
what makes the image display only with the cookie? I thought the cookie being strict means it lets you access the cookie itself from the same site only. where is the code for the img, and how do you make it follow the cookie settings?
What if we want to make any request from Domain A through api call to fetch information from Domain B when same site = Strict ? what is the way to achieve the same
Is it possible they have patched this? I can't get cross-site cookies working! I used your express file and uploaded to render. Then I also made a GitHub page with an image src pointing to the render https link, but the cookie is never sent!!
You can’t that is the security aspect of cookies. They are set by the owner of the domain You can set the cookie from the client side with Javascript document.cookie but still you would have injected some code to do so in someone else’s domain
Thanks for the explanation Hussein. I got one question ..if someone is using my site login page on their website then who would set the samesite : none (I as a site owner or the one who is using our login page). Could you please help me find this. I have set in my code samesite:none but when I am trying to login through their site it still showing samesite:Lax while when I login through mysite changes are reflecting as none
@@hnasr Hmm but according to owasp.org/www-community/attacks/csrf#other-http-methods, JavaScript is subject to same-origin policy. ...which means if AJAX is used to make a request from your other origin (hnasr.github.io), it won't be executed in the first place.
Is it possible to access samesite lax cookie in case api is integrated with openid connect for single sign on. Currently why they are inaccessible because oidc url auto redirects to my api and at that time api try to read the cookies at server side. Any suggestions on this please??
why redirection to a site not working when same site is lax but the request from another site is 'post'? will this works only for 'GET'? Iam getting issue when my my site is redirected from a payment gateway. They are redirecting using a POST request.
AMR K Post requests won’t send lax cookies to cross site, there is however an exception if those lax cookies are created within two minutes A SameSite Cookie Exception was made to avoid Redirect Loop in Single Sign-On (SSO) Let us Discuss th-cam.com/video/4QiD8cvzCN0/w-d-xo.html
I need same site mode strict but then my redirection from a payment site is not working. Is there any solution to keep it working without changing same site strict mode?
I think its safe to use lax for your use case since you are redirecting. I don’t know if you can use strict and still send the cookies while redirecting..
Still Having trouble with SameSite? Rowan from Google is willing to help one-on-one check his twitter twitter.com/rowan_m/status/1280821505757044736?s=21
Thanks, Hussein! Definitely happy to chat with people. Hearing about the issues people are having helps me in turn improve the documentation and samples too.
@@FLUTTERMAD Domain and Path specify requirements for the request with the cookie, SameSite specifies a requirement for the *context* of the request. e.g. Domain can control if the cookies goes to sub1.example.com or sub2.example.com while SameSite specifies if the cookie should go to sub1.example.com when the request comes from another site, like google.com.
google has started deprecating Third party cookies (samesite=none essentially) in 2024. You might be among the 1% experiment. that might explain why it's working anymore. I wrote about this here and left resources too.
medium.com/@hnasr/google-is-deprecating-3rd-party-cookies-d987603607a7
Yeah, I just noticed. I have a web application in nextjs and django. It's working fine on Firefox and GNOME Web (a.k.a. Safari lol), but it's authentication stopped working on Chromium (cookies aren't being set). Thanks man!
Thanks a bunch - just what I needed! I found the explanation in a lot of places but the visuals really clarified it for me.
Finally I understood this concept... Thanks for this great explanation 👍
❤️
Hussein go bless for explaining this feature so nicely. Even after reading/watching 10's of video - the concept was not clear. Seriously you did a great job explaining it so easily with a practical example
Gagan Gupta Hi Gogan! I am happy the video helped 😊 have a great day
This is how you explain things!!!!! Thank you so much 🙏🙏🙏. Google Chrome team should use this as their office video because their video is just a crap.
Thanks a lot brother, I recently made a new website and the front end and backend are hosted on two different services, I was breaking my head over why the browser was not sending cookies. This explains why. I guess I have to use some other way, since google deprecated cross site cookies
I checked for this topic on many channels but got it clear from here.....thanks hussein.
Very well explained in detail with good example ❤️👍🏻
That excitement level for domain name 😂😂😂😂😂
Thank u sooo much sir. I was searching for it the whole day but I didn't understand before u explained it. It's really precious
Thanks for making a clear explanation of SameSite!
Subscribed. ChatGPT failed to explain this concept. Thanks dude.
Thank you sir. You are a gentleman and a scholar.
Is that a Norm joke by any chance? :D
Amazing explanation. Thank you Nasser sir.
Superior content as always.
Thanks Bryan !
Best video for samesite Attribute (Cookies)
Finally I understand about sameSite parameter, Thx man you save the day
This is one of the best illustration for the usage of samesite.
thanks
Rohan Dvivedi thanks Rohan
haha thanks for the tutorial and positive energy :D
Thank you! It's very clear now what that cookie with sameSite do
Node would throw a typo. But samesite or SameSite works fine..
thanks god! I learned this in collage that i paid a lot of money. and now it the first time i really understand this issu . thank you
this is an excellent video explaining the same-site policy of cookies!
beautifully explained..thanks
Thanks brother, You saved a lot of time for me :)
Nice work @ Hussein
Brilliant explanation!!!
Greetings from Brazil!
The best explanation i love it so much
nice explanation keep it up dude
Wow, you are great man. What a perfect explanation. Thanks!
Beautifully visualized!
Excellent presentation. Thank you 😁
Thank you for the information. It was really useful.
Amazing explaination !! thanks a ton!!!
Great example! Many thanks
What a perfect explanation. Thanks.
good explanation thanks!
Thanks for this perfect explanation. just perfect
Thank brother I really appreciate your work and get a lot of experience from you, my question is isn't cookies shloud just work for the same domain?، I mean it shouldn't be exists if you open a new tab for another domain
Correct ! Cookie are domain specific, but 3rd party cookies were invented for tracking purposes
BRILLIANT !!
Great explanation, thanks for sharing.
Good explanation , Thank you so much
Thanks
Still don't know why there's cookie for the second site referencing image from the first one when both are open in chrome. But when one is open in chrome & 2nd in fox it doesn't seem to work.
Thanks for the video
too good. thanks for this video!
Thanks for this bro...
Thanks for the explanation
@hnasr usually when you visit a site, the server will send the cookie to the browser right. But in the video, you have mentioned several times that "Browser" will not send the cookie if it's cross site. Can you explain on this please ?
Brilliant explanation, thanks.
Glad it was helpful!
@hnasr The server setup things you mentioned at ~ 1.56m, which of your video teaches such server setups? You have many videos
excellent thank you
Thanks sir, very helpful
Very nice 👍
Please some one clear my doubt, The image of one domain is getting loaded on another domain if the attribute Same-site has the value None right but what about the SOP (Same Origin Policy) ain't it gonna block the responses from cross domain ?
Thanks Boss!
what makes the image display only with the cookie? I thought the cookie being strict means it lets you access the cookie itself from the same site only. where is the code for the img, and how do you make it follow the cookie settings?
Sir please make a video on how to access cookie from other website.
Means how cross-site is done.
🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏
What if we want to make any request from Domain A through api call to fetch information from Domain B when same site = Strict ? what is the way to achieve the same
That's the best explanation ever! Well done my friend. Keep it going
Is it possible they have patched this? I can't get cross-site cookies working! I used your express file and uploaded to render. Then I also made a GitHub page with an image src pointing to the render https link, but the cookie is never sent!!
Hi , I have a small doubt . What would be the case when it is not Secure . Please let me know the behavior when both are communicating with HTTP
If same site attribute is set to lax the browser is sending the cookie then how it prevent csrf?
How Can we access the cookies in request header with httpOnly ?? Plz help i m in trouble to get these cookies in all request header
Very impressive explanation, but how do you set a cookie with a domain other than your own?
You can’t that is the security aspect of cookies. They are set by the owner of the domain
You can set the cookie from the client side with Javascript document.cookie but still you would have injected some code to do so in someone else’s domain
Thanks for the explanation Hussein. I got one question ..if someone is using my site login page on their website then who would set the samesite : none
(I as a site owner or the one who is using our login page). Could you please help me find this.
I have set in my code samesite:none but when I am trying to login through their site it still showing samesite:Lax while when I login through mysite changes are reflecting as none
@hussein Nasser: Does this applies to webscoket?
Excellent example with IMG and A, a question, How about IFRAME and AJAX?
Desarrollador Rápido both are very similar to IMG. Thanks!
I see, thank you.
@@hnasr Hmm but according to owasp.org/www-community/attacks/csrf#other-http-methods, JavaScript is subject to same-origin policy. ...which means if AJAX is used to make a request from your other origin (hnasr.github.io), it won't be executed in the first place.
Thanks :)
thanks
This is nice explanation
But there is a room for explanation around the cookies being set while calling login api
Is it possible to access samesite lax cookie in case api is integrated with openid connect for single sign on. Currently why they are inaccessible because oidc url auto redirects to my api and at that time api try to read the cookies at server side. Any suggestions on this please??
How do we set samesite = none?
Thanks for the great example. But how do you set these properties on a site with a drag-and-drop site builder is the real question?
This is done on the backend. Drag and drop stuff is just the page that is being sent to the user.
@@urssaf343 agree to that. A tutorial about how it's done on the back end will be very appreciated. Or it's too much to ask?!
@@vladislavgerginov748 Lookup course from Mosh Hamedani: restful apis with express.
I am getting HTTP error 405, any advices?
thanks!!
why redirection to a site not working when same site is lax but the request from another site is 'post'?
will this works only for 'GET'?
Iam getting issue when my my site is redirected from a payment gateway. They are redirecting using a POST request.
AMR K Post requests won’t send lax cookies to cross site, there is however an exception if those lax cookies are created within two minutes
A SameSite Cookie Exception was made to avoid Redirect Loop in Single Sign-On (SSO) Let us Discuss
th-cam.com/video/4QiD8cvzCN0/w-d-xo.html
I need same site mode strict but then my redirection from a payment site is not working.
Is there any solution to keep it working without changing same site strict mode?
I think its safe to use lax for your use case since you are redirecting. I don’t know if you can use strict and still send the cookies while redirecting..
Hi, does thed same site attribute provide protection on all browsers like IE, Firefox or just chrome latest
nvn dnt Correct all browsers now supports it except for IE developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Stating the obvious here but this is a HTTPS only feature, so the flags won't work in any dev environments that don't have https configured
Hi Nasser, I have a question, How is https in the video implemented? No certificate is imported in the source code.
Hey , I skipped that part since I explained it on other videos th-cam.com/video/b35Dcz91ItE/w-d-xo.html
@@hnasr thank you very much 🙏
you can keep the devtools open!
same-site = None useless? i'd say no. Its pretty useful during development phase when your frontend and backend are running at different ports
❤️
Still Having trouble with SameSite? Rowan from Google is willing to help one-on-one check his twitter twitter.com/rowan_m/status/1280821505757044736?s=21
Thanks, Hussein! Definitely happy to chat with people. Hearing about the issues people are having helps me in turn improve the documentation and samples too.
What if cookies are available for specified domain or path, but SameSite is Lax/None?
@@FLUTTERMAD Domain and Path specify requirements for the request with the cookie, SameSite specifies a requirement for the *context* of the request. e.g. Domain can control if the cookies goes to sub1.example.com or sub2.example.com while SameSite specifies if the cookie should go to sub1.example.com when the request comes from another site, like google.com.
haha. master
SUBSCRIBER ++
cmd+/