Paypal-checkout-components: Samesite cookie warnings in Chrome

Any updates?

+1

I see the same issue in Firefox and Chrome, but not in Opera

Any update on this item ? payment via Chrome v80 inside an iframe won't work. Chrome v80 is going to be released on Feb-4th, 2020.

+1 FYI: the breaking features on pre-v80 Chrome versions can be enabled by turning on the following flags on chrome://flags:

• SameSite by default cookies
• Enable removing SameSite=None cookies
• Cookies without SameSite must be secure

Hi all. Is anyone seeing any actual bugs they can reproduce here? Or just warning messages?

We're aware of this change in chrome and working to make sure nothing will be affected. If you see anything actually breaking, please let me know as soon as possible. Thanks!

I have seen that some extensions and sites, like the one from https://twoseven.xyz/, won't allow the sites hosted in iframes to use cookies for authentication, basically rendering the tools and services broken. I was actually working on a similar tool that requires a site hosted in an iframe to use cookie based authentication and I just verified that this will also break that. Perhaps that is the purpose of the Samesite to prevent sites from being hosted in iframes from other domains?

@bluepnume We host checkout pages for clients and have been seeing some errors on our staging sites when we use Chrome v80.

Our failing use case is as follows:

1. User checks out their shopping cart on a Client site
2. Client site renders a checkout page with an iFrame where our payment form is displayed.
3. User clicks a Checkout with Paypal button on the form _inside_ the iFrame (but this request goes to _our_ domain, not paypal.com)
4. Server side, we use Express Checkout API to build a valid paypal request and then redirect to 'https://www.sandbox.paypal.com/checkoutnow' (since we use sandbox paypal in our stagings sites). This essentially takes the operation out of the iFrame, as the intended effect is that the user should now be on paypal.com's login page where the User can authenticate and complete the payment.

Step 4 is where we have encountered errors. (see screenshot)

Apparently, a completely fresh attempt on a Chrome v80 incognito window works the first time, but all subsequent paypal express checkout attempts fail. The same issue is not encountered when we use a pre v80 Chrome version.

It should also be noted that we also have a usecase where a User interacts with our checkout form directly (not on an iframe) and that _we have not encountered issues there_.

Can you clarify -- are you using the PayPal JavaScript SDK or checkout.js? Or are you redirecting the user directly inside the iframe?

Can you share a link where I can try this out?

Redirecting a user to PayPal inside an iframe is not a supported integration. I recommend using the PayPal JavaScript SDK to handle this.

Can you clarify -- are you using the PayPal JavaScript SDK or checkout.js? Or are you redirecting the user directly inside the iframe?

We use neither. We use something called Paypal Express Checkout.

Specifically, we perform a server-side redirect to https://paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-XXXXXXXXXXXXXXXXXX&useraction=commit

Can you share a link where I can try this out?

Let me see if I can get a public domain set up for you.

Redirecting a user to PayPal inside an iframe is not a supported integration. I recommend using the PayPal JavaScript SDK to handle this.

Noted.

Any updates?
On developer.paypal.com site I get a lot of errors in Chrome 80:

is Paypal a dead project or something?! Its still a warning in Chrome but paypal payments have stopped working on Firefox ...

@andrewlorenz if PayPal won't fix this type of errors it soon will be a dead project 😁

I am still seeing this error. Clearly Chrome 80 carried on allowing this.

Can we assume there will not be a fix for this from PP?

Hi,

These warnings should not block actual payments. @andrewlorenz if you're seeing a specific error or issue in Firefox, can you please raise a new issue with details? Thanks.

Why are we getting these warnings? Can't it be disabled by setting the cookie headers in Paypal's end?

The cookies are being steadily overwritten with the new samesite flag. For existing cookies you will continue to see these warnings, but there should be no impact. If you see any actual issues called, please raise a new github ticket with details. Thanks!

@bluepnume Payments have not stopped working on Firefox 77.0.1 but issue a warning on Chrome. Any idea when the firefox fix is incoming?

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.