Beginning in February, the way Google Chrome handles cross-site cookies is changing to prevent cookies without an explicit SameSite policy from loading in cross-origin requests. More details on Chrome’s upcoming changes are available on the Chromium Blog.

How does this affect my application?

As apps are loaded in the BigCommerce Control Panel using an iframe, any cookies that your app uses will be considered “cross-site” cookies from Chrome’s perspective. This includes things like session cookies which may be absolutely essential for your app to function.

Therefore, if these cookies are not set to have a SameSite=None; Secure policy, they will not be sent from the browser at all, and your application may fail to function as intended.

What do I need to change?

Whenever you are setting cookies for your BigCommerce app, make sure that those cookies are set with an explicit SameSite=None; Secure policy.

For further reading, consider Google’s guidance on managing SameSite cookie policies for iframes.

How do I test my app after making these changes?

These changes to Chrome will launch with the release of Chrome 80 and are available in Chrome Canary now for your early testing and verification. If your app installs, loads, and functions correctly in the latest version of Chrome Canary, then you can feel confident it will work in Chrome 80.