SameSite attribute inline-mod

gldtn

gldtn

Well-known member
Xenforo: 2.2.13

I'm getting errors in the browser console(links to /inline-mod/):
Cookie “teo_inlinemod_thread” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Click to expand...

And a couple more linking to (inject.js) EDIT: <--- This is not related to Xenforo, it's seems like it's from DuckDuckGo extension :confused:
Some cookies are misusing the recommended “SameSite“ attribute 2
Cookie “_gd1697833601606” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite inject.js:3607:29
Click to expand...
https://xenforo.com/community/moz-extension://6863682a-4c57-47c4-8789-bb861bc99eab/public/js/inject.js

Cookie “_gd1697833601606” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Click to expand...

I believe it has something to do with my redirect issue I posted here:
xenforo.com

Redirection on inline moderation

I upgraded to a new instance on Linode from Ubuntu 20.04 to 22.04, and ever since I've been getting redirected to home page after inline moderation. Can someone shed a light as I can't figure it out what exactly has changed. I suspect it's something within nginx config.. My server blocks...
xenforo.com xenforo.com

Edit: ˆˆˆ^The above is not related

I would like to know if it's something that needs to be implement on Xenforo or something I need to do on my server and if it's possibly related to the redirect issue I'm having above.

Thanks!
 
Last edited:
Sort by date Sort by votes
XenForo's XF\Http\Response::setCookie() method has support for SameSite.

The SameSite change has been a thing since Chrome 80 (almost 4 years ago):
developers.google.com

Get Ready for New SameSite=None; Secure Cookie Settings | Google Search Central Blog | Google for Developers

developers.google.com developers.google.com

By default, XenForo doesn't explicitly set SameSite, which is the same as SameSite=Lax. Normally you wouldn't need to override this, but there are cases you may need to. Like I have a site that allows users to embed their profile in third-party sites, so in order for someone to remain logged in when looking at it, I need to use SameSite=None. Which can be done via config.php:

PHP: 
$config['cookie']['samesite'] = 'None';

But blindly changing it without understanding why you need to change it or what you should change it to isn't really a solution.

You should only be getting that message if the browser is making requests to third-party sites.
 
Upvote 0 Downvote
I see, I haven't updated since 2019, which makes sense. Although that doesn't seem to be a solution as you stated, It's seems to be coming from Xenforo JS files which shouldn't be considered 3rd party, correct?

I did try setting it like you said above just to see if it resolves my redirecting issue, but it did not!

I also learned today that the redirects happens when changing styles as well, if I remember correctly that is not suppose to happen! Further more the samesite/redirecting issue may not be related at all? :confused::confused: 🤷‍♂️

Can someone confirm if my redirecting issue is or not related? Thank you 🙏
 
Upvote 0 Downvote
Third-party is anything on a different hostname. Maybe you have yourdomain.com and www.yourdomain.com running the same site? As far as a browser/computer is concerned, those are different hostnames.
 
Upvote 0 Downvote
digitalpoint said:
Third-party is anything on a different hostname. Maybe you have yourdomain.com and www.yourdomain.com running the same site? As far as a browser/computer is concerned, those are different hostnames.
Click to expand...

Hmmm... I definitely do! I also had this in my config.php
$config['cookie']['domain'] = '.domain.org';
Click to expand...

According to https://xenforo.com/docs/xf2/config/#cookie-settings it should be fine:
'.example.com' allows cookies to be read on example.com and any subdomain thereof
Click to expand...

They also state that:
Similiar to the cookie path setting, this allows you to specify a domain upon which your cookies can be read. It is unusual to need to set this value to anything other than the default, but as with the cookie path, you should be very careful if you change it, because entering a value that prevents XenForo from reading its own cookies will break important functionality, like the ability to stay logged in.
Click to expand...
The reason for setting this value would be to allow cookies to be shared on multiple subdomains, for example a setting of .example.com would allow cookies to be accessed on all subdomains of example.com, such as www.example.com and other.example.com. In most instances, this setting can be left with its default setting.
Click to expand...

So from what I understood I don't need to set it so I removed it from config.php, guessing it's best to leave it as default.
 
Last edited:
Upvote 0 Downvote
@digitalpoint Thanks for helping out, you helped me clear somethings up on my config which has been like that for years lol.

Although my above warning seems to not have anything to do with Xenforo itself, but rather a warning from my DuckDuckGo extension, hence 'inject.js', feel stupid for not realizing this 🤦‍♂️

Although I still see it even after removing the extension, deleting my cookies and login back in (editor-compiled.js):
Cookie “_gd1697915741244” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Click to expand...

And from core-compiled.js
Cookie “xf_inlinemod_thread” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Click to expand...

This did help me confirm that the redirecting issue is not related though! So I still have to figure that issue out, which has been a little annoying.

Thank you!
 
Last edited:
Upvote 0 Downvote
gldtn said:
@digitalpoint Thanks for helping out, you helped me clear somethings up on my config which has been like that for years lol.

Although my above warning seems to not have anything to do with Xenforo itself, but rather a warning from my DuckDuckGo extension, hence 'inject.js', feel stupid for not realizing this 🤦‍♂️

Although I still see it even after removing the extension, deleting my cookies and login back in (editor-compiled.js):


And from core-compiled.js


This did help me confirm that the redirecting issue is not related though! So I still have to figure that issue out, which has been a little annoying.

Thank you!
Click to expand...
The _gd cookie seems to be coming from the Froala Editor. Couldn't find any documentation about what it's for.

1699052666938.webp

Those messages are actually coming from your web browser. They are warning you that the page has cookies that haven't explicitly defined their SameSite attribute and will have their attribute be defaulted to Lax.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

⭐ Alex ⭐
  • Solved
XF 2.2 Is There Still a Reason to Not Use SameSite Strict or Lax for Cookies?
Replies
8
Views
462
⭐ Alex ⭐
⭐ Alex ⭐
Boothby
Fixed Console Log: Cookie attribute "sameSite" without using the "secure" attribute
Replies
1
Views
548
XF Bug Bot
XF Bug Bot
V
  • Question Question
XF 1.5 Chrome 80 - Cookies
Replies
9
Views
1K
bzcomputers
bzcomputers
X
  • Suggestion Suggestion
Implemented Support SameSite cookie attribute
Replies
12
Views
2K
otto
otto
Top Bottom