Chrome warning for cookie without "SameSite" attribute

[johanbrook]

Describe the bug
In Chrome 78.0.3904.21, I get the following warning when visiting a site with Inter embedded in the CSS:

@import url('https://rsms.me/inter/inter.css');

Live example: https://www.johanbrook.com.

The warning is:

A cookie associated with a cross-site resource at http://rsms.me/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

To Reproduce
Steps to reproduce the behavior:

1. Use Inter as embedded CSS (https://rsms.me/inter/inter.css).
2. Visit the site with Chrome 78+.

Expected behavior
No warning in console.

Screenshots

Environment

• OS: macOS 10.14.4.
• Chrome 78.0.3904.21
• Version of font: Whatever's at https://rsms.me/inter/inter.css at the moment (3.10 at the time of writing).

[rsms]

Thanks. This is unfortunately beyond my control as the CSS files are hosted by Cloudflare which set the cookie.

Cloudflare documentation states:

The _cfduid cookie can only be disabled for Enterprise customers

A thread in their forums: https://community.cloudflare.com/t/google-chrome-warning-about-cloudflare-cookie/123192

Chromium issue related to this: https://bugs.chromium.org/p/chromium/issues/detail?id=954551

We can only hope that Cloudflare adds the SameSite attribute to their Set-Cookie headers.

In the meantime, know that there’s no actual effect from this warning message. Ultimately Chrome will switch from “Lax” behavior to “None” behavior by default, which should have zero impact on your or your users.