Why Chrome block cookies when trying authenticate like localhost with Nginx?

Question

• This is my problem:

I have mounted a web page mounted on ubuntu using nginx with the secure HTTPS protocol, I have had problems with the page because the front-end when trying to make a local connection to my raspberry pi says "Mixed Content: The page at was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint. This request has been blocked; the content must be served over HTTPS. "

This error is due to the fact that my hosting travels through the HTTPS protocol but my localhost machine is HTTP, so to correct this I had to run my web page locally.

It turns out that when I go to authenticate on my local network pointing to my API backend on HTTPS protocol, the Chrome browser blocks my cookies, I see a warning appear. The weirdest thing is that it works for me in Mozilla Firefox or using Postman.

This Set-Cookie didn't specify a "SameSite" attribute and was defaulted to "SameSite=Lax", and was blocked because it came from a cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage

Any solution for this? I found on the internet that you have to set the properties of NodeJS cookies with httpOnly false, secure false and sameSite none but none of this worked for me :( any ideas?

Answer 1

I already solved my problem, it was an nginx configuration that did not accept cookies to any page except my mounted domain, just add this in the nginx configuration:

location / api / {
   proxy_pass http://localhost:3000/;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $ http_upgrade;
   proxy_set_header Connection 'upgrade';
   proxy_set_header Host $ host;
   proxy_cache_bypass $ http_upgrade;
   proxy_cookie_path / "/; SameSite = None; secure";
}

I just added this proxy_cookie_path / "/; SameSite = None; secure";

For more information click here: How to fix "set SameSite cookie to none" warning? Chrome Extension