#GTMTips: Chrome Samesite Warnings for Google Tag Manager

Update February 17, 2020: Google Tag Manager Preview Cookies You have It has been updated with the necessary tags, so it won’t be broken once the SameSite app is launched.

If you open the browser console in Google Chrome (since Chrome 76), you may have seen a bunch of warnings in a yellow background related to something called SameSite The cookie attribute is either missing or incomplete for cookies set on external domains. If you use Google Tag Manager, especially in preview mode, you may have seen a warning about a file http(s)://www.googletagmanager.com Domain.

Although the warning is very prominent, taking up some key real estate in the browser console warning, it is, for the time being, Just a warning.

This article briefly explains what a file is SameSite hoopla is everything, and how it relates to Google Tag Manager.

X

Simmer . Newsletter

Subscribe to the Simmer newsletter to get the latest news and content from Simo Ahava right in your inbox!

Tip 108: SameSite Google’s Cookie Attribute and Tag Manager

Here is the full text of such a warning:

The cookie associated with a cross-site resource is set at https://www.googletagmanager.com/ without a file SameSite attributed. A future version of Chrome will only serve cookies with cross-site requests if set with SameSite=None And Secure. You can review cookies in Developer Tools under Application > Storage > Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

What is a file SameSite attributed?

The SameSite The attribute is configured when the cookie is set, and is used to describe the contexts in which the cookie is available for reading.

It has three possible values:

• Strict – A cookie with this SameSite The value is only available in requests where the request host shares the public suffix of the request origin (domain.com The general suffix will be . www.domain.comAnd sub.domain.com And ecommerce.blog.domain.com). So if a page is on domain.com I requested a resource from www.domain.com, The SameSite=Strict biscuit Will be It is sent with headers. But if the page exists domain.com I requested a resource from double click dot net, Which SameSite=Strict Cookies written on double click dot net Will be Not be included in the application.

  Notably, this also applies to navigation – when navigating from domain.com to me otherdomain.com, Which SameSite=Strict Cookies written on otherdomain.com They will not be included in the request headers.

• Lax – If set with this value, the file SameSite The cookie behaves similarly to Strict Cookies, but allow higher level navigation to include the cookie in the HTTP headers. Thus, if the user switches from domain.com to me otherdomain.com, The SameSite=Lax Cookies written on otherdomain.com They will be included in the request headers.

  This is too the virtual value For cookies without explicit designation SameSite attributed.

• None – This feature allows access to the cookie in first-party and third-party contexts without restrictions.

Basically, if you have a cookie that needs to be distributed over multiple domains in the HTTP headers, you need to set SameSite attributed to None Or it will stop working when SameSite become imposed.

The important thing is that a SameSite=None biscuit It must also contain Secure Science, or it won’t work.

If the cookie does not have The SameSite parameter, the default behavior is Lax. And so, again, all cookies are for third party access Will stop working unless explicitly set to None.

This is a great article for SameSite Information: Explain SameSite cookies.

What is the deadline?

The SameSite Change needs to be implemented before February 4, 2020. on that date, Chrome 80 The new stable build will become, and users who upgrade to it will see a file SameSite The attribute is imposed.

Thus, after this date, any cookies are sent with via the site Orders Should You have SameSite=None And Secure Flags or the browser will reject it.

So what about Google Tag Manager?

You may be concerned about Google Tag Manager.

1. Why does Google Tag Manager use third-party cookies?! – Simple: Preview mode. GTM uses a third-party cookie that is set to www.googletagmanager.com to make sure that is yours The browser is in preview mode, then is yours The browser is specific to the draft container rather than the latest live version.
2. What can you do about GTM SameSite Warnings? – no thing. If you read the previous chapters carefully, you will see that a file SameSite Change must be made by the party Adjust A cookie, like Google. So Google needs to update the authentication cookies written on it www.googletagmanager.com to include the SameSite=None And Secure Flags for GTM Preview Mode to keep working in Chrome (and any browsers you choose to implement SameSite).

Fortunately, there is a confirmation from the Google Tag Manager team that they will make sure to update the cookies before SameSite Change enters stable construction.

Likewise, I’m sure that all other Google properties that require access to cookies in a third-party context will be handled appropriately as well.

great concern with SameSite So it may not be sellers (eg adtech) that use cookies in third-party contexts to run their own tracking schemes, but instead In House Settings where things like authentication, shopping carts, and single sign-on (SSO) are handled by a single domain that passes persistent information in third-party cookies.

It’s likely to be a critical change, so if your company’s IT department isn’t on top of things, they time is running out.

To see the scope of this change and how badly prepared the general public is, I recommend looking no further Zach Edwards The Twitter feed, because it is full of examples where things have gone (or are going to go).

Zach’s webinar on this topic is also helpful (you can find the presentation here).

I hope this article was enlightening – please let me know in the comments if you have other concerns SameSite biscuit!