Cookie security and the SameSite attribute
The SameSite attribute controls the cookie behavior and access for the cookiehub cookie which is set by the CookieHub widget to store user’s choices in order to avoid showing the initial dialog on every page load. By default the SameSite attribute is set to “Lax” but you can easily change the value if required.
Starting with Chrome 80, cookies that don’t have SameSite specified will default to Lax and the None value can only be used if the cookie also send the Secure flag.
Possible values are:
- Strict: Only allows pages on the domain that set the cookie to access it. Links from third parties won’t be able to access the cookie.
- Lax: Allows pages on the domain and third party links to access the cookie. This is the default setting for CookieHub.
- None: No domain limitations and third-party cookies can fire.
If the Secure attribute is set to true, the cookie will only be accessible if the page being loaded is loaded over a secure connection (https). Since CookieHub doesn’t know whether your whole page is being loaded over a secure connection, the default value is false but we recommend setting it to true.
You can control the cookie attributes by modifying the cpm object set when loading the CookieHub widget on your site.
The default CookieHub widget code looks like this:
<script type="text/javascript">
var cpm = {};
(function(h,u,b){
var d=h.getElementsByTagName("script")[0],e=h.createElement("script");
e.async=true;e.src='https://cookiehub.net/c2/xxxxxxxx.js';
e.onload=function(){u.cookiehub.load(b);}
d.parentNode.insertBefore(e,d);
})(document,window,cpm);
</script>
This is the recommended configuration:
<script type="text/javascript">
var cpm = {
cookie: {
sameSite: 'Strict',
secure: true
}
};
(function(h,u,b){
var d=h.getElementsByTagName("script")[0],e=h.createElement("script");
e.async=true;e.src='https://cookiehub.net/c2/xxxxxxxx.js';
e.onload=function(){u.cookiehub.load(b);}
d.parentNode.insertBefore(e,d);
})(document,window,cpm);
</script>