private app and Chrome samesite issue

Tourist
6 0 2

Hi

 

We have a website developped in Drupal which is connected to Shopify: we use a Shopify private app both to retrieve the product catalog and to add articles to cart.

We use the Admin API to retrieve the product catalog --> this works fine

We use the Storefront API to add product to cart and to display the cart content-->  since February and Chrome 80 version, we encounter an issue due to the way Chrome manages 3rd party cookies: fetching the cart content for several people doesn't work anymore.

Do you know why?

 

The only error we see in the console is "A cookie associated with a cross-site resource at https://REMOVED_URL was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`"

 

We notived that for some people using Chrome, when going the Chrome experiments Chrome://flags and disable the same-site attributes, relaunch Chrome, and then set back the the same-site attributes to "default", then Chrome is able to fetch the cart. We don't understand this issue. W

 

However, as we use a Shopify generated private app, we can't access any parameters and add the Samesite=none and secure on the Shopify side.

 

How to solve this issue?

 

Thanks for your help

0 Likes
Highlighted
Tourist
6 0 2

Hey, I can't believe we're the only one to encounter this problem.

All people using Shopify private apps should also have it.

Can anyone @shopify help us?

0 Likes
Highlighted
Shopify Staff
Shopify Staff
1041 140 167

Hey @Waxonius1,

 

Are you able to provide a link to a demo of the issue?

Notice; Out of office, replies will be delayed until my return. Thanks!
0 Likes
Highlighted
Tourist
6 0 2

Hey @SBD_ 

Sure, the website is natan.be. Here are the steps to reproduce the issue:

  • Go to this page: https://natan.be/fr/products/ss20/macao?p=4636
  • Open Chrome Inspector and go to the console tab,
  • Select a product size and click on "Add to bag". If the cart panel doesn't expand, click on the bag icon. The panel fetches the cart content from Shopify thanks to the StoreFront API and displays it.

You'll see in Chrome console tab several warnings mentionning that Samesite should be set to none

2020-04-21_084835.png

 

When looking at the cookie panel, we see that the cookies coming from https://natan-e-shop.myshopify.com/ don't contain the value "none" for the samesite attribute

2020-04-21_085126.png

 

The issue we had for several days and most of the people using Chrome was that the cart couldn't be retrieved and displayed, using the Storefront API.

The only way to retrieve the cart was to go to Chrome://flags and disable the same-site properties

 

Right now, the issue doesn't occur on most of the Chrome browsers because Chrome announced they stop deploying the samesite behavior due to covid19

https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html

 

However, if we go in Chrome://flags and enable the same-site properties, then the issue occurs back again

 

Thanks for your help

0 Likes
Highlighted
Shopify Staff
Shopify Staff
1041 140 167

Thanks @Waxonius1

 

The site's adding to cart by posting to https://natan-e-shop.myshopify.com/cart/add and pulling content from https://natan-e-shop.myshopify.com/cart.json, resulting in cross-domain cookies. Use the Storefront API instead to get around this.

 

Let me know if you get stuck!

Notice; Out of office, replies will be delayed until my return. Thanks!
0 Likes