APIs & Integrations

juice
Member

Hubspot Tracking Code

SOLVE

After installing the hubspot tracking code, i'm receiving the following warning "A cookie associated with a cross-site resource at http://hs-scripts.com/ was set without the `SameSite` attribute"

 

How do i fix this?

3 Accepted solutions
WendyGoh
Solution
HubSpot Employee
HubSpot Employee

Hubspot Tracking Code

SOLVE

Hey @sambarich@finnhvman@Haymez@zimmreece and everyone, 

 

I have further checked on this with our product team and I'm able to confirm that the warning will not impact all HubSpot functionality. Any automatic browser handling for cookies without the flag set will force them into a LAX-ish state, which is slightly more permitting than LAX itself and acceptable for the functions HubSpot uses its cookies for.

 

Let me know if there's any more concerns on this. Happy to help address them.

View solution in original post

0 Upvotes
WendyGoh
Solution
HubSpot Employee
HubSpot Employee

Hubspot Tracking Code

SOLVE

Hey @bctwalling,

 

It’s important to note that HubSpot doesn’t use third party cookies to power the analytics user token we attach to contacts and that this change does not impact any functionality of HubSpot analytics tracking and the HubSpot analytics tracking code and cookies will continue to function correctly. 

 

It is the case that external trackers that use third party cookies may have issues with the flag (e.g. if a website has the Facebook pixel on it), but we don’t have control over the cookies those scripts drop. 

View solution in original post

WendyGoh
Solution
HubSpot Employee
HubSpot Employee

Hubspot Tracking Code

SOLVE

Hey @edthenet , @nateangell , @tinyfly , @geekbleek , @seanvarnham, @eslpics@kriswen and everyone, 

 

Just an update here!

 

I have checked in with our team and we'd first like to clarify that the cookies set by HubSpot analytics scripts do now have the SameSite flag set  (and have since February). We would not expect users to be seeing that chrome warning specifically about the js.hs-analytics at this point.


The likely root cause here is that users are seeing warnings referring to either hubspot.com or app.hubspot.com related to HubSpot app cookies (such as login/auth cookies which a user would see on their own HubSpot website if they're logged into HubSpot in that same browser) or possibly cookies related to HubSpot API requests from assets they've embedded on their website.


Having said that, HubSpot analytics passes the values we need as query parameters on requests, so because our tracking doesn't expect the cookie to be present in the header this does not affect our tracking functionality.

 

Additionally, I'd also like to suggest for you to try loading your website incognito to confirm if you still see those HubSpot warnings or not. If you do not see them in incognito, this can helps confirm that they're related to being logged into HubSpot, and not related to the website itself.


Do let me know if there's any further concerns. I'd be happy to address them 🙂

 

View solution in original post

24 Replies 24
finnhvman
Participant

Hubspot Tracking Code

SOLVE

Hi @WendyGoh,

 

This will have an impact on all HubSpot functionality starting from February, when Chrome will block third party cookies not set correctly like the cookies HubSpot uses currently.

 

@sambarich explained this very thoroughly: https://community.hubspot.com/t5/APIs-Integrations/Hubspot-Tracking-Code/m-p/309868/highlight/true#M...

Haymez
Participant

Hubspot Tracking Code

SOLVE
Is there any update HubSpot can provide on this issue? We're getting very close to February.
sambarich
Member | Platinum Partner
Member | Platinum Partner

Hubspot Tracking Code

SOLVE

Hey Folks!

 

This is actually a VERY important issue - it's highly advisable HubSpot take action, even if by providing additional documentation.

 

TL;DR - So what does this mean to me as a HubSpot customer?

 

My websites using HubSpot tracking may fail to collect site visitor information due to a new third-party cookie standard.

 

Who's affected?

 

Any HubSpot clients using HubSpot Tracking Beacons to collect website visitor data who have site visitors using Chrome Browser version 80+ after February 2020.

 

The issue is "SameSite" - a new web standard impacting all third-party cookies, including HubSpot's

 

The majority browser, Chrome, will start issuing security errors for all third-party cookies (including those set by HubSpot on prospects browsers) unless they properly implement the "SameSite" cookie parameter once Chrome v80 comes out (February 2020).

 

Google themselves have committed to updating their third-party tracking cookies (like Google Analytics and Google Tag Manager) to meet the new SameSite specification.

 

Basically, HubSpot developers will need to apply the "SameSite=None; Secure" setting to all cookies set by HubSpot (instructions on GoogleChromeLabs GitHub account here) AND ensure cookies are only delivered over SSL-encrypted traffic. Failure to adhere to the standard could risk HubSpot customers having their HubSpot tracking cookies dismissed as insecure by Chrome browser.

 

Background on the "SameSite" issue for other HubSpot users

 

This Chrome browser warning occurs for in versions of Chrome 76+ for sites using third-party tracking cookies (such as using HubSpot, Google Analytics, or Google Tag Manager) that aren't using the new "SameSite" cookie security measure promoted by Google and Mozilla since 2016.

 

The Internet Engineering Task Force (IETF - governing body of internet standards) added a new standard for browser cookies called "SameSite" (see the spec here: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00). It adds an additional parameter to cookie-setting requests that broadly determines which sites can access the cookie. It was implemented to improve web security of third-party cookies and help prevent Cross-Site Request Forgery (CSRF).

 

Currently Google Chrome browser issues a warning regarding cookies not meeting this new standard. However, in February 2020, Chrome will treat these as errors, escalating the importance of the standard.

 

Learn more about SameSite cookies here:

  1. https://web.dev/samesite-cookies-explained/
  2. https://nakedsecurity.sophos.com/2019/05/10/chrome-browser-pushes-samesite-cookie-security-overhaul/
WendyGoh
HubSpot Employee
HubSpot Employee

Hubspot Tracking Code

SOLVE

Hi @juice,

 

I hope all is well with you 😄

 

It looks like this may be due to chrome recent updates with regard to cookie where if no SameSite atrribute is specified the default would be SameSite=Lax.

 

Our team is aware of this issue and is currently looking into this. Once I have more insights on this, I'll keep you updated with more information as to whether this update may impacts HubSpot cookie and/or if there's anything you need to be aware of. At the same time, do you mind sharing with me the pages that you're seeing this issue?