CSS resources behind an authentication wall fail to fetch during playback when SameSite=Strict is set

Symptoms:

When CSS resources are behind an authentication wall, these resources may fail to load during playback - even when you are authenticated - if the session cookies have SameSite=Strict set.

Explanation: 

When you authenticate to your site, a SameSite=Strict attribute may be set on your session cookies. If so, those cookies will only be sent in a first-party context and will not be sent along with any requests initiated by third party websites. This means that these cookies will only be sent if the URL in the browser's address bar matches the site that set the cookie. Unfortunately, this is never the case for the FullStory playback.

How do I find out if I’m using SameSite=Strict?

Log in to your site > open Chrome's Developer Tools > click on the Application tab > find Cookies on the left, and then click on the site's domain. 

On the right, the cookie list includes a column with the "SameSite" value for each cookie. 

Ramification:

If SameSite=Strict is a requirement for your site, then making the CSS resources public - instead of requiring authentication - would allow FullStory to fetch the CSS resources successfully during playback.

Read more:

The MDN page describing the SameSite attribute. 

Need to get in touch with us?

The FullStory Team awaits your every question.

Contact us