Codesandbox-client: Chrome 80 SameSite=Lax change broke private sandboxes

Created on 5 Mar 2020  路  11Comments  路  Source: codesandbox/codesandbox-client

馃悰 bug report

Description of the problem

It looks like the SameSite=Lax change in Chrome 80 has broken private sandboxes. When accessing a private sandbox, the app never loads and the page continues to reload tons of network assets (network tab goes nuts).

If you set chrome://flags/#same-site-by-default-cookies to Disabled, everything goes back to normal. I've tried this with every scale of app, from the most basic, document.write('test') app to a complex React CRA-based SPA and get the same symptoms.

The only cookie I see that's affected by this change is _cfduid, but I'm not 100% sure.

How has this issue affected you? What are you trying to accomplish?

It's broken my heart. I'm not sure I'll ever recover 馃槶

For real, though -- we leverage CodeSandbox for our organizations FE tech screens. We're able to work around this by instructing our candidates to use Firefox, but we are really averse to any added friction at the start of a tech screen.

Link to sandbox: link (optional)

Useless since you can only see the issue in private sandboxes. Should be easy enough to repro, though.

Your Environment

| Software | Name/Version |
| ---------------- | ------------ |
| 小odesandbox | Current |
| Browser | Chrome 80+ |
| Operating System | Mac OS X Catalina |

picture jonnyasmar

All 11 comments

I'm having problems reproducing this. Do you have issues when accessing your own private sandbox directly or do problems occur for invited folks during a live session?

garethx picture garethx on 5 Mar 2020

@garethx Are you using Chrome 80+? I'm having the issue for my own private sandboxes.

jonnyasmar picture jonnyasmar on 5 Mar 2020

Yes, 82. Which specific version are you using? I'll try matching.

garethx picture garethx on 5 Mar 2020

Thanks, @garethx -- I'm on Chrome 80.0.3987.132

jonnyasmar picture jonnyasmar on 5 Mar 2020

Hmm -- I just had a chance to test on my Windows machine and it actually seems like the issue is specific to Mac... On Mac I can only test against Catalina, so I'm not sure if previous versions are having the same problem.

jonnyasmar picture jonnyasmar on 5 Mar 2020

Ahhh -- nope... strangely, it seems like on Windows, the default for chrome://flags/#same-site-by-default-cookies is Disabled. If I explicitly set it to Enabled I'm able to repro in Windows.

(Same Chrome version on both machines)

jonnyasmar picture jonnyasmar on 5 Mar 2020

Update here: just discovered that the change to make chrome://flags/#same-site-by-default-cookies default to Enabled is being gradually rolled out:

https://www.chromium.org/updates/same-site

So, in order to repro this, you may have to explicitly set that flag to Enabled.

jonnyasmar picture jonnyasmar on 10 Mar 2020

I was able to reproduce the behavior:
Chrome 80.0.3987.132, macOS Catalina 10.15.03

Chrome flag needed to be turned on for me: chrome://flags/#same-site-by-default-cookies

codesandbox reloaded so fast it's hard to tell what's going on. It seems like the babel traspiler worker is related: it's the last thing to appear on the source tab of dev tools before crashing.

Screen Shot 2020-03-10 at 5 14 27 PM
Screen Shot 2020-03-10 at 5 14 49 PM

JesseHGerard picture JesseHGerard on 10 Mar 2020

@jonnyasmar Ah, great catch - that explains why I couldn't reproduce in 80 either. Will flag to the team!

garethx picture garethx on 11 Mar 2020
1

Deploying now, should be live within 15 min!

CompuIves picture CompuIves on 18 Mar 2020
1

Can confirm the fix is live and working! Thanks so much @CompuIves

jonnyasmar picture jonnyasmar on 23 Mar 2020
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eckmLJE picture eckmLJE  路  3Comments
Haroenv picture Haroenv  路  3Comments
donavon picture donavon  路  3Comments
waruyama picture waruyama  路  3Comments
Haroenv picture Haroenv  路  3Comments