ServerEvents & Cookies: SameSite


I’ve noticed that when our Angular webapp subscribes to server events in Chrome I get a SameSite warning which we don’t get if the app doesn’t subscribe to serverevents.


Can anyone explain what we need to do to get around this potential problem?

What are the full returned raw HTTP Headers with the cookies? and what are the actual warnings about it from Chrome?

Hi @mythz

Here are the response headers (running under http whilst debugging):

HTTP/1.1 200 OK
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: text/event-stream
Vary: Accept
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Origin: http://localhost:4200
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Date: Mon, 14 Feb 2022 08:25:52 GMT

Chrome provides this detail in its ‘Issues’ tab (bottom of the Console page):

Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute

  1. Because a cookie’s  `SameSite`  attribute was not set or is invalid, it defaults to  `SameSite=Lax` , which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie:

    * Specify  `SameSite=None`  and  `Secure`  if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the  `Secure`  attribute.
    * Specify  `SameSite=Strict`  or  `SameSite=Lax`  if the cookie should not be set by cross-site requests.


    1. 2 cookies

    2. 1 request

      1. event-unregister?id=9qNZtAEB5gSDnzZtlT47

  3. * Learn more: SameSite cookies explained

This HTTP Header doesn’t contain any Cookie or Set-Cookie instructions?

Anyway you can specify to use SameSite=Strict cookies with:

SetConfig(new HostConfig {
    UseSameSiteCookies = true

The default is SameSite=Lax, changing to UseSameSiteCookies=false sets cookies with SameSite=None.

I tried that but it had no effect and I don’t get the warning at all if I don’t subscribe to server events.

One thing that is puzzling me is the Chrome issue refers to ‘event-unregister?id=blah’ yet I can’t see that request in Chromes’ network history.