As per the Chromium project timeline linked below, the stricter rules will be gradually rolled out over the lifespan of Chrome 80. We currently believe that not all users will be affected at once.
Whilst we agree that the changes are good for the web in the long term, they unfortunately mean that our traditional add to cart mechanisms in Smartlink Apps will no longer work correctly for users of Chrome.
The change means that when a user clicks “Add to Cart” in a Smartlink app and the Smartlink app subsequently sends a request to the callback URL specified by the eCommerce site, Chrome will no longer send a cookie with that request and the eCommerce site will therefore be unable to identify the user.
This is likely to manifest in two different ways:
More information can be found on the Chrome Platform Status page: https://www.chromestatus.com/feature/5633521622188032 and the Chromium project page: https://www.chromium.org/updates/same-site
The new restrictions can be enabled in advance of them becoming the default by enabling “SameSite by default cookies” and “Cookies without SameSite must be secure” via the chrome://flags URL.
Note: Magento1 and Magento2 sites be can be upgraded to the latest versions of Personalise-iT (1.8.1.0 for M1 and 2.3.2.0 for M2) to workaround cookie restrictions. The rest of this document does not apply to M1 and M2 sites using the latest versions of Personalise-iT.
There are however several ways detailed below in which eCommerce sites using Smartlink apps can work around the issue.
However please bear the following in mind:
The simplest but least preferable way to ensure that add to cart functionality continues to work is to set the SameSite properties on cookies to “None”. Cookies will also need to be marked as “Secure” (only available in a HTTPS context).
However please bear in mind the following when using this approach:
The prefered solution is to switch to using the Smartlink postMessage mechanism which allows the parent page to listen for ADD_TO_CART_CALLBACK events from within the Smartlink iframe.
Once an ADD_TO_CART_CALLBACK event has been detected, the parent page can take appropriate action to add the item to the cart.
More details can be found at https://developers-v2.custom-gateway.net/#postmessage-api
Note: The data structure used in the postMessage mechanism is different to the structure used by the legacy “ep3dUrl” mechanism. If you wish to maintain the same data structure as the legacy mechanism, option (3) might be preferable.
A hybrid approach for those who wish to continue using the legacy “ep3dUrl” callback mechanism is to replace the logic within the callback page with a simple page that communicates item details to the parent page using the postMessage API.
The parent page can then listen for a message from the callback page and take appropriate action to add the item to the user’s cart.
It is important to remember that cookies won’t be sent to the callback page by the user’s browser. This will likely cause your callback page to initiate a new session and reply to the browser with a new cookie. Please ensure that this doesn’t happen as it could mean that subsequent requests made by the parent page will use the new cookie rather than the original.
Example code:
Callback page:
<script>
function getDataFieldFromPost() {
// Use your server side scripting language of choice to extract the "data" field
// from the POST request sent to your callback page by the smartlink iframe and
// make it available to client side JS.
//
// Don't forget to:
// - make sure everything is correctly escaped and XSS safe.
// - not send any cookies in the response
return "...";
}
window.parent.postMessage({
name: 'SMARTLINK_ADD_TO_CART_CALLBACK',
body: JSON.parse(getDataFieldFromPost())
}, window.location.origin);
</script>
Parent page:
<script>
function doAddToCart(body) {
// Trigger the same logic that the original version of your callback URL was performing
}
window.addEventListener("message", function(e) {
if(e.origin == window.location.origin) {
var name = e.data.name;
var body = e.data.body;
if(name == 'SMARTLINK_ADD_TO_CART_CALLBACK') {
doAddToCart(body);
}
}
});
</script>
A completely alternative approach would be to embed a token into your legacy “ep3dUrl” callback URL that uniquely identifies either the session or cart.
Your callback URL should then use said token to determine the current user or cart. As with option (3), the callback URL should not create a new cookie.
Whilst simple to implement, please be aware of the potential security risks with this approach: