28

I am trying to set SameSite attribute using javascript on my site . The code is

<script type="text/javascript">
 document.cookie = "AC-C=ac-c;expires=9999年12月31日 23:59:59 GMT;path=/;HttpOnly;SameSite=Lax";
 </script>

The cookie is being set but the SameSite attribute is not being set. Any idea where am I missing?

Thanks

asked May 16, 2018 at 2:03
2
  • What Browser are you using .? Please check link for browser support. caniuse.com/#feat=same-site-cookie-attribute Commented May 16, 2018 at 2:16
  • Google Chrome Version 66.0.3359.181 Commented May 16, 2018 at 2:26

2 Answers 2

28

Your problem is not with SameSite, but with HttpOnly. HttpOnly and SameSite are 2 independent things, if you remove HttpOnly it will be working... and cookie will be set with SameSite.

<script>
 document.cookie = "AC-C=ac-c;expires=9999年12月31日 23:59:59 GMT;path=/;SameSite=Lax";
 alert( document.cookie );
</script>
answered Jun 9, 2019 at 10:50
Sign up to request clarification or add additional context in comments.

Comments

12

You can not set HttpOnly flag via JavaScript API document.cookie. Flag HttpOnly can be set only via cookie header in server response. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies Cookies created via JavaScript cannot include the HttpOnly flag.

You wrote The cookie is being set but the SameSite attribute is not being set but I think it is not truth. Cookie set via JS with attribute HttpOnly is rejected at all or maybe some browser set it but ignore HttpOnly flag - so finally your cookie is not HTTP only.

answered Nov 12, 2019 at 9:59

3 Comments

You're right, my apologies. While I'd still argue that setting samesite on client-side is not very useful considering its purpose, my answer to OP's actual question is wrong and I'm withdrawing it. As you say, it is possible to set it from client-side.
@Vasan You are right that setting SameSite=Strict/Lax is not very useful considering its purpose but consider SameSite=None... it is useful. Since Chrome v80 3rd parties (e.g. iframes) must set SameSite=None for cookie that is not Strict/Lax because chrome will not send it with CORS requests. Btw. in 3rd party iframe it is not possible to set SameSite=Strict/Lax, but only SameSite=None so in this use case enabling SameSite flag for JS API is not in conflict with SameSite purpose.
Yes, setting SameSite=None is not just useful but required when loaded as a third party iframe, and unfortunately it is not possible to set it from javascript.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.