Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes to Chrome will break fileDownload soon. #167

Open
arkytn opened this issue Dec 21, 2019 · 6 comments
Open

Changes to Chrome will break fileDownload soon. #167

arkytn opened this issue Dec 21, 2019 · 6 comments

Comments

@arkytn
Copy link

arkytn commented Dec 21, 2019
edited
Loading

The filedownload cookie needs to be modified to work with coming changes to Chrome.

A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032T

Just need to document the cookie format for this problem.

Set-Cookie: fileDownload=true; path=/ Secure SameSite=None
@joshuapinter
Copy link

Just to be clear @arkytn, do we just need to adjust the cookie to be fileDownload=true; path=/ Secure SameSite=None?

@arkytn
Copy link
Author

arkytn commented Jan 30, 2020

Here's an example from code I got working and this suppressed Chrome's warnings.

Set-Cookie: fileDownload=true; path=/; SameSite=None; Secure

@joshuapinter
Copy link

Thanks @arkytn. Two questions for you:

  1. Do you happen to have a screenshot of the warning that Chrome provides? And What version of Chrome this starts appearing on?

  2. Does it prevent the file from downloading? And/or does it prevent the AJAX call from returning successfully?

We're tracking down an issue with a client and we're trying to see if this is the issue or if it's something else.

Thanks!

@arkytn
Copy link
Author

arkytn commented Jan 30, 2020

No it doesn't stop the download. At this point it's a warning. Warning message in Console:

A cookie associated with a cross-site resource at http://cloudflare.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

@joshuapinter
Copy link

Awesome, thanks for the clarification!

@Darkicorn
Copy link

Darkicorn commented Oct 27, 2020
edited
Loading

In jquery.fileDownload.js, in function checkFileDownloadComplete(), the line
var cookieData = settings.cookieName + "=; path=" + settings.cookiePath + "; expires=" + new Date(0).toUTCString() + ";";

needs to be
var cookieData = settings.cookieName + "=; path=" + settings.cookiePath + "; expires=" + new Date(0).toUTCString() + "; secure=true;";

i.e. add secure=true; to remove the warning in Firefox:

Cookie “fileDownload” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite jquery.fileDownload.js:356:5

Also, perhaps the comment on the previous line, //remove cookie, could be more descriptive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshuapinter @arkytn @Darkicorn