Upcoming changes to SameSite cookie policy causes Snowplow to generate browser warnings

Firefox recently introduced an experimental flag to test out upcoming changes to browsers' SameSite cookie policy.

More info on the changes here: https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/

Switching on the experimental flags causes warnings to appear in the browser console. We should follow the advice of the warning and verify that cookies still work as expected under the new policy, and update our own SameSite cookie policy as required.

To reproduce

  1. Enable the new default behavior in Firefox (works in any version past 75):
    1. In the URL bar, navigate to about:config. (accept the warning prompt, if shown).
    2. Type SameSite into the “Search Preference Name” bar.
    3. Set network.cookie.sameSite.laxByDefault to true using the toggle icon.
    4. Set network.cookie.sameSite.noneRequiresSecure to true using the toggle icon.
    5. Restart Firefox.
  2. Navigate to https://www.gitlab.com
    • log in if not already logged in
  3. Check the browser console for warnings.

Screenshots

The following warnings appear in the console:

Screenshot_2020-08-06_at_11.47.29

Notes

The warnings seem to appear in the snowplow integration. Without testing everything, it's unclear whether there are also warnings generated by other functionality in GitLab.

Edited by Tristan Read