Issue with chrome 80 and SameSite cookie changes

Hi there

I run my own notebook hosting platform

a few weeks ago some users have complained about getting a 403 Forbidden when loading their notebook; I have started to document my findings on this matter https://github.com/parmentelat/nbhosting/issues/111

it appears the issue has to see with a recent change in chrome, being currently rolled out, and outlined in this post

I was wondering if anybody had been exposed to something similar recently

I ran into this issue while Chrome initially rolled out:


However, this is still currently easily reproducible with Chrome Canary (or by simply opting in to the SameSite changes.)

Jupyter sends Set-Cookie for _xsrf with no SameSite property, so Chrome rejects it. Then a Jupyter action like creating a new text file will fail.

As a solution, I made my middleman proxy read these Set-Cookie headers and write them back with SameSite=None and Secure. The _xsrf cookie goes through now. But who knows what else could be wrong? Embedding the notebook is officially documented and seemingly not working.