SameSite Cookie Blocked — Cross-Site Cookie Rejection and Third-Party Cookie Issues
About SameSite Cookie Blocked
Fix SameSite cookie warnings and blocked cross-site cookies affecting login sessions, payment processing, and embedded content functionality. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: SameSite is a cookie attribute that controls when cookies are sent in cross-site requests. Cookies without SameSite attribute default to SameSite=Lax in modern browsers. SameSite=Lax sends cookies for top-level navigation but not for cross-site sub-requests (images, iframes, AJAX). SameSite=None; Secure is required for cookies that need to be sent in cross-site contexts. Third-party cookie deprecation in Chrome is separate from but related to SameSite enforcement. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Cookie set without SameSite attribute and browser defaults it to Lax instead of None. Cross-origin iframe needing to access parent site cookies blocked by SameSite=Lax default. Payment provider redirect losing session cookies because they are cross-site requests. SSO (Single Sign-On) login flow failing because authentication cookies are blocked cross-site. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Identify blocked cookies: Chrome DevTools > Application > Cookies > look for yellow warning icons. For cookies needed cross-site: set SameSite=None; Secure explicitly in the Set-Cookie header. SameSite=None requires the Secure flag — cookies must be sent over HTTPS only. For embedded content: use the Partitioned attribute (CHIPS) for cross-site cookies with privacy. Test with Chrome flags: chrome://flags > search for 'SameSite' to test different enforcement levels. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Browser Errors collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
What do the SameSite values mean?
Strict: cookie only sent for same-site requests. Lax: sent for same-site plus top-level cross-site navigation (clicking a link). None: sent for all requests including cross-site sub-requests (requires Secure flag and HTTPS).
Overview
Fix SameSite cookie warnings and blocked cross-site cookies affecting login sessions, payment processing, and embedded content functionality.
Key Details
- SameSite is a cookie attribute that controls when cookies are sent in cross-site requests
- Cookies without SameSite attribute default to SameSite=Lax in modern browsers
- SameSite=Lax sends cookies for top-level navigation but not for cross-site sub-requests (images, iframes, AJAX)
- SameSite=None; Secure is required for cookies that need to be sent in cross-site contexts
- Third-party cookie deprecation in Chrome is separate from but related to SameSite enforcement
Common Causes
- Cookie set without SameSite attribute and browser defaults it to Lax instead of None
- Cross-origin iframe needing to access parent site cookies blocked by SameSite=Lax default
- Payment provider redirect losing session cookies because they are cross-site requests
- SSO (Single Sign-On) login flow failing because authentication cookies are blocked cross-site
Steps
- 1Identify blocked cookies: Chrome DevTools > Application > Cookies > look for yellow warning icons
- 2For cookies needed cross-site: set SameSite=None; Secure explicitly in the Set-Cookie header
- 3SameSite=None requires the Secure flag — cookies must be sent over HTTPS only
- 4For embedded content: use the Partitioned attribute (CHIPS) for cross-site cookies with privacy
- 5Test with Chrome flags: chrome://flags > search for 'SameSite' to test different enforcement levels