SameSite attribute inline-mod

gldtn

Well-known member
Xenforo: 2.2.13

I'm getting errors in the browser console(links to /inline-mod/):
Cookie “teo_inlinemod_thread” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

And a couple more linking to (inject.js) EDIT: <--- This is not related to Xenforo, it's seems like it's from DuckDuckGo extension :confused:
Some cookies are misusing the recommended “SameSite“ attribute 2
Cookie “_gd1697833601606” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite inject.js:3607:29
https://xenforo.com/community/moz-extension://6863682a-4c57-47c4-8789-bb861bc99eab/public/js/inject.js

Cookie “_gd1697833601606” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

I believe it has something to do with my redirect issue I posted here:

Edit: ˆˆˆ^The above is not related

I would like to know if it's something that needs to be implement on Xenforo or something I need to do on my server and if it's possibly related to the redirect issue I'm having above.

Thanks!
 
Last edited:
XenForo's XF\Http\Response::setCookie() method has support for SameSite.

The SameSite change has been a thing since Chrome 80 (almost 4 years ago):

By default, XenForo doesn't explicitly set SameSite, which is the same as SameSite=Lax. Normally you wouldn't need to override this, but there are cases you may need to. Like I have a site that allows users to embed their profile in third-party sites, so in order for someone to remain logged in when looking at it, I need to use SameSite=None. Which can be done via config.php:

PHP:
$config['cookie']['samesite'] = 'None';

But blindly changing it without understanding why you need to change it or what you should change it to isn't really a solution.

You should only be getting that message if the browser is making requests to third-party sites.
 
I see, I haven't updated since 2019, which makes sense. Although that doesn't seem to be a solution as you stated, It's seems to be coming from Xenforo JS files which shouldn't be considered 3rd party, correct?

I did try setting it like you said above just to see if it resolves my redirecting issue, but it did not!

I also learned today that the redirects happens when changing styles as well, if I remember correctly that is not suppose to happen! Further more the samesite/redirecting issue may not be related at all? :confused::confused: 🤷‍♂️

Can someone confirm if my redirecting issue is or not related? Thank you 🙏
 
Third-party is anything on a different hostname. Maybe you have yourdomain.com and www.yourdomain.com running the same site? As far as a browser/computer is concerned, those are different hostnames.
 
Third-party is anything on a different hostname. Maybe you have yourdomain.com and www.yourdomain.com running the same site? As far as a browser/computer is concerned, those are different hostnames.

Hmmm... I definitely do! I also had this in my config.php
$config['cookie']['domain'] = '.domain.org';

According to https://xenforo.com/docs/xf2/config/#cookie-settings it should be fine:
'.example.com' allows cookies to be read on example.com and any subdomain thereof

They also state that:
Similiar to the cookie path setting, this allows you to specify a domain upon which your cookies can be read. It is unusual to need to set this value to anything other than the default, but as with the cookie path, you should be very careful if you change it, because entering a value that prevents XenForo from reading its own cookies will break important functionality, like the ability to stay logged in.
The reason for setting this value would be to allow cookies to be shared on multiple subdomains, for example a setting of .example.com would allow cookies to be accessed on all subdomains of example.com, such as www.example.com and other.example.com. In most instances, this setting can be left with its default setting.

So from what I understood I don't need to set it so I removed it from config.php, guessing it's best to leave it as default.
 
Last edited:
@digitalpoint Thanks for helping out, you helped me clear somethings up on my config which has been like that for years lol.

Although my above warning seems to not have anything to do with Xenforo itself, but rather a warning from my DuckDuckGo extension, hence 'inject.js', feel stupid for not realizing this 🤦‍♂️

Although I still see it even after removing the extension, deleting my cookies and login back in (editor-compiled.js):
Cookie “_gd1697915741244” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

And from core-compiled.js
Cookie “xf_inlinemod_thread” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

This did help me confirm that the redirecting issue is not related though! So I still have to figure that issue out, which has been a little annoying.

Thank you!
 
Last edited:
@digitalpoint Thanks for helping out, you helped me clear somethings up on my config which has been like that for years lol.

Although my above warning seems to not have anything to do with Xenforo itself, but rather a warning from my DuckDuckGo extension, hence 'inject.js', feel stupid for not realizing this 🤦‍♂️

Although I still see it even after removing the extension, deleting my cookies and login back in (editor-compiled.js):


And from core-compiled.js


This did help me confirm that the redirecting issue is not related though! So I still have to figure that issue out, which has been a little annoying.

Thank you!
The _gd cookie seems to be coming from the Froala Editor. Couldn't find any documentation about what it's for.

1699052666938.webp

Those messages are actually coming from your web browser. They are warning you that the page has cookies that haven't explicitly defined their SameSite attribute and will have their attribute be defaulted to Lax.
 
Back
Top Bottom