topic Re: Hubspot Tracking Code in APIs & Integrations

Hubspot Tracking Code

juice — Tue, 08 Oct 2019 23:46:54 GMT

After installing the hubspot tracking code, i'm receiving the following warning "A cookie associated with a cross-site resource at http://hs-scripts.com/ was set without the `SameSite` attribute"

How do i fix this?

Re: Hubspot Tracking Code

WendyGoh — Thu, 10 Oct 2019 03:08:50 GMT

Hi @juice,

I hope all is well with you 😄

It looks like this may be due to chrome recent updates with regard to cookie where if no SameSite atrribute is specified the default would be SameSite=Lax.

Our team is aware of this issue and is currently looking into this. Once I have more insights on this, I'll keep you updated with more information as to whether this update may impacts HubSpot cookie and/or if there's anything you need to be aware of. At the same time, do you mind sharing with me the pages that you're seeing this issue?

Re: Hubspot Tracking Code

WendyGoh — Wed, 06 Nov 2019 08:19:56 GMT

Hi @juice,

Just an update here, the warning message is showing because of some updates that Chrome is making. That said, we do not expect the change to have an impact on any HubSpot product functionality as the default way which Chrome is treating the situation is in compliance with what the HubSpot tracking code needs. I hope this helps to clarify!

Re: Hubspot Tracking Code

sambarich — Fri, 03 Jan 2020 20:27:59 GMT

Hey Folks!

This is actually a VERY important issue - it's highly advisable HubSpot take action, even if by providing additional documentation.

TL;DR - So what does this mean to me as a HubSpot customer?

My websites using HubSpot tracking may fail to collect site visitor information due to a new third-party cookie standard.

Who's affected?

Any HubSpot clients using HubSpot Tracking Beacons to collect website visitor data who have site visitors using Chrome Browser version 80+ after February 2020.

The issue is "SameSite" - a new web standard impacting all third-party cookies, including HubSpot's

The majority browser, Chrome, will start issuing security errors for all third-party cookies (including those set by HubSpot on prospects browsers) unless they properly implement the "SameSite" cookie parameter once Chrome v80 comes out (February 2020).

Google themselves have committed to updating their third-party tracking cookies (like Google Analytics and Google Tag Manager) to meet the new SameSite specification.

Basically, HubSpot developers will need to apply the "SameSite=None; Secure" setting to all cookies set by HubSpot (instructions on GoogleChromeLabs GitHub account here) AND ensure cookies are only delivered over SSL-encrypted traffic. Failure to adhere to the standard could risk HubSpot customers having their HubSpot tracking cookies dismissed as insecure by Chrome browser.

Background on the "SameSite" issue for other HubSpot users

This Chrome browser warning occurs for in versions of Chrome 76+ for sites using third-party tracking cookies (such as using HubSpot, Google Analytics, or Google Tag Manager) that aren't using the new "SameSite" cookie security measure promoted by Google and Mozilla since 2016.

The Internet Engineering Task Force (IETF - governing body of internet standards) added a new standard for browser cookies called "SameSite" (see the spec here: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00). It adds an additional parameter to cookie-setting requests that broadly determines which sites can access the cookie. It was implemented to improve web security of third-party cookies and help prevent Cross-Site Request Forgery (CSRF).

Currently Google Chrome browser issues a warning regarding cookies not meeting this new standard. However, in February 2020, Chrome will treat these as errors, escalating the importance of the standard.

Learn more about SameSite cookies here:

Re: Hubspot Tracking Code

finnhvman — Thu, 09 Jan 2020 14:25:48 GMT

Hi @WendyGoh,

This will have an impact on all HubSpot functionality starting from February, when Chrome will block third party cookies not set correctly like the cookies HubSpot uses currently.

@sambarich explained this very thoroughly: https://community.hubspot.com/t5/APIs-Integrations/Hubspot-Tracking-Code/m-p/309868/highlight/true#M29475

Re: Hubspot Tracking Code

Haymez — Wed, 29 Jan 2020 03:22:07 GMT

Is there any update HubSpot can provide on this issue? We're getting very close to February.

Re: Hubspot Tracking Code

zimmreece — Wed, 29 Jan 2020 18:56:22 GMT

Echoing the questions here, an official word on if HubSpot tracking will be ready for Feb release would be great.

Re: Hubspot Tracking Code

WendyGoh — Thu, 30 Jan 2020 03:34:02 GMT

Hey @sambarich, @finnhvman, @Haymez, @zimmreece and everyone,

I have further checked on this with our product team and I'm able to confirm that the warning will not impact all HubSpot functionality. Any automatic browser handling for cookies without the flag set will force them into a LAX-ish state, which is slightly more permitting than LAX itself and acceptable for the functions HubSpot uses its cookies for.

Let me know if there's any more concerns on this. Happy to help address them.

Re: Hubspot Tracking Code

bctwalling — Thu, 30 Jan 2020 16:36:40 GMT

So while the LAX-ish state will work fine for HubSpot, it won't work for customers or integrators who use that cookie along with your REST API to identify viewers. If you don't allow the cookie to be read by them, then your REST API which can get a contact by user token (https://developers.hubspot.com/docs/methods/contacts/get_contact_by_utk) will no longer work.

Re: Hubspot Tracking Code

WendyGoh — Wed, 05 Feb 2020 03:29:20 GMT

Hey @bctwalling,

It’s important to note that HubSpot doesn’t use third party cookies to power the analytics user token we attach to contacts and that this change does not impact any functionality of HubSpot analytics tracking and the HubSpot analytics tracking code and cookies will continue to function correctly.

It is the case that external trackers that use third party cookies may have issues with the flag (e.g. if a website has the Facebook pixel on it), but we don’t have control over the cookies those scripts drop.

Re: Hubspot Tracking Code

cscheible — Thu, 27 Feb 2020 14:07:27 GMT

phew, we are counting on this cookie for chat targeting!!!

Re: Hubspot Tracking Code

tinyfly — Thu, 30 Apr 2020 23:17:19 GMT

I'm not sure this is correct. Apparently Chrome will start blocking cross-site cookies at some point.

"Cookies for cross-site usage must specify SameSite=None; Secure to enable inclusion in third party context."

I'm including the Hubspot tracking code in my company website that is not powered by Hubspot. That tracking code sets a cookie that doesn't include a SameSite attribute. Some browsers will apply a SameSite=Lax in that case. If that cookie as also a cross-site cookie, which this is, it is only a matter of time before browsers block that cookie. My reading is that only if you set SameSite=None and the Secure flag will the browser allow it to be set.

https://web.dev/samesite-cookies-explained/ - Some browsers have a bug where setting SameSite=None is treated as setting it to Strict. So some feature detection would be required. Also setting the Secure flag would require all users of your tracking code to be using https, not a bad requirement, but may break some customers tracking.

Re: Hubspot Tracking Code

edthenet — Mon, 04 May 2020 12:00:18 GMT

But we still get those annoing warning in the developer toolbar i want to get rid off.

Can you not simply fix this issue in a matter that it does apply to all of our needs?

Re: Hubspot Tracking Code

nateangell — Sat, 30 May 2020 23:32:18 GMT

Chrome warns: "A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Can you please explain exactly what parts of HubSpot will continue to work and what will stop working once Chrome makes this change?

Re: Hubspot Tracking Code

geekbleek — Wed, 22 Jul 2020 13:12:31 GMT

Chrome is now blocking these cookie requests starting July 14th. I'm getting them blocked in my Chrome console:

This is pretty urgent, and you've known this change was coming for quite some time: https://www.chromestatus.com/feature/5088147346030592

Re: Hubspot Tracking Code

seanvarnham — Thu, 23 Jul 2020 11:52:43 GMT

Same here, I'm getting some significant warnings and the back-end of a client's WordPress website is crashing every 2 minutes when editing the home page - it would seem because these errors. I have the WP plugin installed too.

Re: Hubspot Tracking Code

eslpics — Thu, 30 Jul 2020 13:36:56 GMT

I too, am having problems with this - particularly when used with your API. At preent it only affects dev but when Chrome enforce the rule it will break our main site's functionality with Hubspot. Is this being worked on - you simply have to add SameSite=None and Secure to your cookie generation...

Re: Hubspot Tracking Code

Bweber — Fri, 07 Aug 2020 00:17:43 GMT

I see the same error for all HS cookies on our site originating from the WP plug-in. It appears that this may also be affecting the SEO of the site as I found the issue when running Google's web.dev/measure tool.

Re: Hubspot Tracking Code

kriswen — Tue, 11 Aug 2020 01:07:47 GMT

did any one have a solution?

Re: Hubspot Tracking Code

kriswen — Tue, 11 Aug 2020 01:08:12 GMT

did you have a solution to this?

@Bweber wrote:
I see the same error for all HS cookies on our site originating from the WP plug-in. It appears that this may also be affecting the SEO of the site as I found the issue when running Google's web.dev/measure tool.