How to disable the SameSite Cookies policy in Cefsharp (WinForms C#)

The SameSite attribute on cookies basically allows you to declare that the cookie should be restricted to a first-party or same-site context (your domain). This means, with a simple example, a request made from ourcodeworld.com to the subdomain cdn.ourcodeworld.com is a same-site request. However, es.ourcodeworld.com is different from cdn.ourcodeworld.com as they would count as different websites (cross-site request).

On Every browser, it was normal to send the cookies everywhere but till recent versions with the new policy, users are not vulnerable to CSRF and unintentional information leakage anymore.

The problem with this in Cefsharp is that most of the applications that were developed some time ago, may rely on this feature, so updating Cefsharp to the latest available version (87 till the date), will break the application functionality. Fortunately, it is possible to disable the new behaviour disabling the SameSiteByDefaultCookies feature.

Consider the following example of Cefsharp that launches the same-site sandbox website:

using System;
using System.Collections.Generic;
using System.Windows.Forms;
using CefSharp;
using CefSharp.WinForms;

namespace CefsharpSandbox
{
    public partial class Form1 : Form
    {
        public ChromiumWebBrowser chromeBrowser;

        public void InitializeChromium()
        {
            CefSettings settings = new CefSettings();

            Cef.Initialize(settings);

            // Create a browser component
            chromeBrowser = new ChromiumWebBrowser("https://samesite-sandbox.glitch.me/");

            // Add it to the form and fill it to the form window.
            this.Controls.Add(chromeBrowser);
            chromeBrowser.Dock = DockStyle.Fill;
        }

        public Form1()
        {
            InitializeComponent();

            // Start the browser after initialize global component
            InitializeChromium();
        }
    }
}

The following website should appear and the results as well:

CefSharp Cookies Cross-domain

As you can see, with cross-sites, the cookie is not set as is the safest thing (this to encourage developers to state their intent and provide users with a safer experience). But as mentioned, you may need this feature disabled. You can disable this feature through the SameSiteByDefaultCookies flag. In the initialization settings, append the new option to the disable-features key:

CefSettings settings = new CefSettings();

// Disable SameSiteByDefaultCookies to allow cross-site cookies
// appending the name of the feature at the end of the disable-features key
settings.CefCommandLineArgs["disable-features"] += ",SameSiteByDefaultCookies";

Cef.Initialize(settings);

Launch your application and if you visit the tool page once again, you will see that the Cookies on the cross-site column are now set:

Cefsharp Disable SameSiteByDefaultCookies Features

Exactly what you need to make your application functional once again.

Happy coding ❤️!

This could interest you

Become a more social person