My client's website is getting these SameSite cookie warnings in Chrome. I've searched all over and I can't get the warnings to go away. The cookies are due to Google Ad Conversion Tracking on a Wordpress Site. The site is on a Apache/2.4.7 (Ubuntu) hosted by DreamHost running PHP 7.1 for compatibility reasons. To my .htaccess file, I've tried adding:

Header always edit Set-Cookie (.*) "$1; SameSite=None"

and I tried

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

...and I tried

Header always edit Set-Cookie (.*) "$1; SameSite=None;Secure"

as well as many other combinations including SameSite=Lax

One guide recommends for PHP 7.2 and below:

header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');

But that gives me a 500 Internal Server Erorr.

Yet I am still getting the following three errors:

A cookie associated with a cross-site resource at was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .

(index):1 A cookie associated with a resource at http://doubleclick.net/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

(index):1 A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

In my research, there seems to be limited information about the warning, and in the guides that are available, I'm not sure if I must identify the cookie by name or how to fix the cookie/headers at their source.

I got a response from Google Chrome Labs after I posted a similar question on their github page.

The cookies triggering the warning are coming from google.com so you will not be able to alter them. The Ads team is aware of these issues and is working to get their cookies fixed before the Feb 2020 stable date. It also means that none of the header directives you're specifying will affect the google.com cookie, it will only cover cookies set for your site.

If you have any cookie warnings that specifically list a domain you control, then you will need to add the correct attributes. -rowan-m

Set the field in gtag.js

You can set the field with an inline gtag.js implementation as well.

gtag('config', 'UA-XXXXXX', {
  cookie_flags: 'max-age=7200;secure;samesite=none'
});

I would look at the tracker script. Here is the section about cross-domain traffic in the gtag.js docs. Make sure only the domain is present and no www, http, ect.

gtag('set', 'linker', {
  'domains': ['example.com', 'example-b.com']
});

Have you tried the following ?

Header Set Access-Control-Allow-Origin "*"
Header Set Access-Control-Allow-Credentials: true
Header set Set-Cookie: "ACookieAvailableCrossSite; SameSite=None; Secure"

The Console warning doesn’t mean that anything is necessarily broken. your site continues to work as expected.

Hope this link will help you. Samesite-cookies-ByDefault