Update Marketo cookie setting to not break in Chrome 80 | Community
Skip to main content
Casey_Grimes2
Casey_Grimes2
Level 10
October 31, 2019
New

Update Marketo cookie setting to not break in Chrome 80

  • October 31, 2019
  • 2 replies
  • 7330 views

Upcoming changes to Chromium are enforcing better policies around using Secure and SameSite flags in cookies. Unfortunately, this conflicts with the way Marketo writes cookies today and could potentially cause major issues for Marketo customers once this is rolled out—Microsoft and Mozilla are also planning to treat cookie flags differently around the same time.

Could cookie writing please be updated at a minimum to have the Secure flag set (and preferably explicitly declare SameSite=None when appropriate on third-party values and Lax on first-party)? Otherwise, this could lead to headaches. Getting it prioritized now will ensure the transition is seamless for Marketo customers.

    2 replies

    Crystal_Pacheco
    Crystal_Pacheco
    Level 4
    November 7, 2019

    @Courtney Grimes‌ did you experience any issues with people not getting cookied through Marketo? Is this issue relevant to Marketo if the munchkin code is on an external website? Or is it also an issue with Marketo landing pages?The SameSite warning issue is also occurring from Google Tag Manager and most likely Google Analytics as well.

    SanfordWhiteman
    SanfordWhiteman
    Level 10
    November 7, 2019

    The standard public release of Chrome (78) doesn't have the measure implemented yet. The beta (79) has it implemented in A/B mode. Dev + early  (Canary) channels have it implemented in full. So regular users are not as of today impacted.

    However, what Courtney's looking for isn't entirely possible. You can't set the secure flag on an insecure site, ergo you can't set secure;samesite=none on an insecure site.

      Casey_Grimes2
      Casey_Grimes2Author
      Level 10
      November 8, 2019

      My understanding (and correct me if I'm wrong) is that it is only the domain the cookie is setting from when third-party that needs to be secure (e.g., if you go to an HTTP-only site but the third party is HTTPS, you can still set a secure flag on the cookie)—strictly speaking, the secure flag only provides confidentiality and not integrity. That would only put the onus on marketo.net to be secure, and it already is.

      What you're implying—that there's no way to implement secure;SameSite=none while being insecure—would be a much larger implication of "oh hey everyone using any sort of adtech must have TLS by Chrome 80 for first-party or it'll break", and I just don't see that as the case here.

      K
      kh-lschutte
      February 4, 2020
      No text available
      Terms & ConditionsAccessibility statement

      Loading footer...