My Flask site sets the SameSite attribute to Lax and is HTTPONLY for SESSION_COOKIE. The site sets a session cookie and google analytics js sets 2 google analytics cookies. These are both first party cookies.
The front end links bootstrap.js on one page, which doesn't produce a SameSite error. This page loads fine. A separate page on this site links quilljs which does produce the SameSite error. The quilljs does not load. I know the Google Chrome 85 behaviour disallows third party cookies. (Another site submitting any request to my site with my site's first party cookies that is not a top level GET request.)
Does this mean that quilljs is sending some non top level GET request to my page after I try to link it's js library? And that bootstrap IS sending a top level GET request and thus not erring? Is a top level GET request at minimum always sent from the library or can the browser link the libraries (inject them?) into the page without a GET request from third party to first party?
It appears I have two options:
- Find a WYSIWYG editor (which is what Quill is) that doesn't send cookies
- Find a way to modify the google analytics cookie to set the SameSite attribute to None
Please confirm that I have a grasp on what is happening and what I think are my options are correct.
Also, if you're super knowledgable can you tell me why quilljs only appears to try to send _ga (google analytics) cookies and not the session cookie. This is definitely the case per the Application sectionof the inspect tool . localhost sends session and 2 _ga cookies and quilljs only sends the 2 _ga cookies.
Thank you very much for any respectful insight you can share.
I don't know what is quilljs but I think the reason that your script isn't loading is because of cors and not cookies. Browsers block cors requests if the server won't include proper cors headers in response to the preflight request. So basically when the browser requests bootstrap script bootstrap server send proper cors headers (access-control-allow-origin: ... and other) and when it requests quilljs server don't that's why the browser restrict that connection. You have two options configure cors requests for quilljs or found another tool. More about cors you can read here.