Chromium (Chrome 80) Samesite Cookie Update

Overview

Chromium is an open-sourced project that powers Google Chrome and other modern web browsers. Chromium recently implemented a security update that impacts the way cookies are allowed on sites that use http (https sites are unaffected). This update removes the use of cookies that requests `SameSite=None` attribute that are not marked `Secure` (ie. an `http` site). 

Read more about Chromium's Same-Site timeline or their original blog post covering this update.

Chrome recently issued an update to notify their users that version 80 will include this same update and was set to go live Feb. 17th, 2020

 

What does this mean to Pendo Users?

This update affected Pendo or Pendo Adopt partners while launching the Designer for Pages, Features or Guides starting February 3rd, 2020. To handle these changes, Pendo implemented changes to their cookies so Chromium updates doesn't interrupt users during tagging or Guide building experiences.

If you're using a Chrome browser version before 80, you might see warning messages like the following:

mceclip1.png

Chrome browsers show these console messages to help vendors and users to prepare for these security updates that will be applied in version 80 and higher. Pendo tested and updated their cookies to align with Chromium updates. You might still see some warning messages as we have retained our previous cookie for the designer as well as implemented an additional one for these changes. We retained our previous cookie to allow for seamless use of the designer for non-Chromium browsers and Chromium version 79 and below. This cookie as well as other cookies from our pendo.io site could display in the developer console on your application. 

Note: These cookies from the designer and our pendo.io site do not affect end users of your application. Your end users will not see these warnings when they switch to Chrome 80+. Our cookies tied to the Pendo Agent have been updated for Chrome 80+. 

 

Authentication Error Message 

If you try to launch the Pendo Designer for Guides, Pages or Feature from a bookmark or a saved link, you may see an "authentication error" message like below:

 mceclip0.png

If you see this message, click on "Login" button to re-authenticate back into Pendo to obtain a new cookie. If you're still having trouble launching the designer, take a look at this help article.

 

Classic Designer Users

All Chromium 80+ browsers will refuse to send a Cookie with a Same-Site policy of anything other than "None" (the default is "Lax") if a site trying to send the cookie is in an iFrame. Pendo's Classic Designer works by iFraming in a site. So, if you use cookies with a Same-Site policy, you will need to update your cookies to have appropriate Same-Site settings to work in an iFrame. Otherwise, your site will refuse to send those cookies making it seem like the user, who is accessing the Classic Designer, is unable to login.

For more information and workarounds see our Troubleshooting: Classic In-App Designer article.  

How to Check Your Chrome Version

To check what version of Chrome you're currently on, 

  1. On your computer, open Chrome.
  2. At the top right, click More More.
  3. Click Help And then About Google Chrome.

The current version number is the series of numbers beneath the "Google Chrome" heading. Chrome will check for updates when you're on this page.

Learn more in Chrome Documentation.

 

Does this update include Safari (version 13.04+)?

No. Safari implemented a different security called Intelligent Tracking Prevention (ITP) to restrict sharing cookies between first and third party apps. As of Feb. 20, 2020, ITP (version 2.3) is included in Safari on macOS for Catalina, Mojave, and High Sierra. ITP prevents Pendo from launching the Guide designer because we leverage cookies to launch the designer over your application. At this point, the Pendo Designer is no longer supported in Safari version 13.04+ but will be open to launch another investigation in the future. But, the Pendo Agent is still fully supported in Safari.