feat: add samesite GA cookie property to enable GA in iframe #1463

barnettx · 2021-03-25T06:39:49Z

Problem

Google analytics currently does not work if a form is embedded on a different site.

Set GA cookies to SameSite=None; Secure to allow iframe tracking
Browsers have recently tightened cookie rules by ensuring the top-level domain (the domain in your browser navbar) is the same as the domain of the request before sending cookies in that request. In our case, the default SameSite=Lax for GA cookies meant that GA cookies were not being sent as the top-level domain eg. https://ogp-checkfirst-test-staging.netlify.app/ differed from the requests to http://www.google-analytics.com. SameSite=None tells the browser to ignore this same-domain check and attach the cookies on the GA request.
As far as I can tell, setting SameSite=None has minimal security implications
Because SameSite=None can only be set when the cookie is also Secure and the site is secure, this means that local testing will only work if using https
References about SameSite cookies: https://web.dev/samesite-cookies-explained/
https://medium.com/trabe/cookies-and-iframes-f7cca58b3b9e

BEFORE:
iframe-form-no-GA-har.txt

AFTER:
iframe-forms-GA-har.txt

Tested by exposing my local formsg and embedding it in a test isomer site

feat: add samesite GA cookie property to enable GA in iframe

829e9b1

barnettx requested a review from liangyuanruo March 25, 2021 06:39

liangyuanruo approved these changes Mar 25, 2021

View reviewed changes

liangyuanruo merged commit 6a4ccf7 into develop Mar 25, 2021

liangyuanruo deleted the feat/ga-iframe branch March 25, 2021 10:15

mantariksh mentioned this pull request Mar 30, 2021

build: release v5.4.0 #1493

Merged