Working with the SameSite cookie attribute
In the spring of 2019, Chrome announced an intent to change cookies to improve security on the web.
With the release of Chrome 80 on February 4th, 2020, the default behaviour of Chrome will change from allowing cookies in a cross-site or third-party context to denying them, unless specific attributes are included as a part of the cookie.
Embedded apps and the SameSite attribute
Since embedded Shopify apps run in an iframe on a different domain than the Shopify admin, they are considered to be in a third-party context.

To designate cookies for cross-site access, a new cookie setting is available in Chrome: SameSite=None. This attribute can be used by services that are running in a third-party context, such as embedded Shopify apps. It explicitly declares that a cookie is available for cross-site access. The SameSite=None setting must always be paired with another attribute, Secure, which ensures that the cookie can only be accessed by a secure connection.
If this attribute is not explicitly set, then Chrome defaults the cookie to SameSite=Lax, which prevents cross-site access. If an app depends on session cookies for authentication but cookies are misconfigured, then Shopify might display the following error in the Shopify admin:
The application can't be loaded, check that your browser allows third-party cookies
Known incompatiblities
Some browsers are known to be incompatible with the SameSite=None attribute. Chromium has posted a list of known incompatible clients and accompanying psudocode of a potential fix.
Examples
The Chrome team has provided a small list of examples in ASP.NET, JavaScript, PHP, and Python on GitHub.
If you are not using a library please see our shopify_app pull request for a guide on how to update your app.
Testing your app for SameSite changes
To test your app’s compatibility with SameSite, you will need to enable a Chrome experiment flag. If you’d like to keep a separate browser for testing you can download Chrome Canary – by doing this you’ll be testing on a preview version of Chrome 80 or higher.
- Enable the
SameSite by default cookiesflag in your Chrome browser. Go tochrome://flags/#samesitein your browser and enable these three SameSite flags:
- SameSite by default cookies
- Enable removing SameSite=None cookies
- Cookies without SameSite must be secure

Click Relaunch to restart Chrome with the experimental flags enabled.
Navigate to your development store's app listing page and select your app. If you already have the app listing page open, it’s a good idea to refresh, then select your app.

- If the app fails to open, there are a few different errors you may see:
Fails with an error This is what an error looks like on Chrome 79 or lower, which are not affected by SameSite changes.

The below error message appears for errors relating to SameSite in Chrome 80 or above.

Fails by incorrectly displaying If your app looks different from the way it usually would without the experiment flags, the SameSite changes you have made have not succeeded.
For example, some apps will identify the error themselves and throw their own error page, while other apps might show with missing functionality.
Fails by continuing to refresh or redirect This occurs if your app refreshes to the point where your browser throws the error message, likely indicating an issue with SameSite cookies.