How Google broke compatibility for everyone!
Or how I became one of the first victim of the dreaded third-party cookies ban from Google and Microsoft!
Two days ago, I’ve got a panicked phone call from a client that sells close to 20k per day using he’s Magento 2 website.
“The payments have stopped working for everyone !”.
I spent 2 days looking at logs and going back and forth on emails from the payment provider (PayPal) to the hosting guys, back to PayPal, back to the hosting guys. Nobody had a clue what was happening.
I combed through a thousand lines logs in the hopes I could find at least a reason that would explain why the payments just … stopped working.
I was sure it wasn’t a browser issue, it was happening on clients using mobile as well as PCs right? At first, I was sure it was definitely PayPal provider! After a quick chat with them, I understood it’s not PayPal. But the logs were empty.
Some payments were getting through, roughly 20% of them. It even worked for me 2 out of 10 times (I still can’t explain why).
Until I found this:
A small line inside the logs. I googled it. Nothing. I was sure the web hosting guys broke something and our sessions were somehow getting corrupted, I switched off Redis to no avail.
Not only that, but I was stuck. Until I noticed this small line in the frontend output. And man it took me years to notice it through all the crap there!
Did you spot it? It’s Google up again to their old shenanigans and actually enabling the 3 party cookie specs and forcing developers to comply. After that, it was fairly easy to go through the git repos and link it back to my payment failing dramatically, that’s where I found this gem:
Google actually managed to break compatibility with their products.
So, this is what happens when you do a phased rollout on an internet killing feature that everybody told you not to do; I know there are some people out there with fancy titles like “Developer Ninja” at Google, Microsoft that are pushing bullshit buzzwords like “Growing Pains” or “Fail Upwards” but for the developers and people affected by this, this is really a problem.
People at my client’s hosting provider (somewhere in Calcutta) don’t even understand what the issue is, they have no clue on how to fix it.
After some more digging I found that guys and girls at Magento knew about this but didn’t even bother to do a notice when it was reported in February.
I guess the notice system that they pushed in to the admin interface doesn’t work for anything else but conference announcements and version updates.
So. In the end. They don’t seem to care that much about the businesses and users they are hurting. It’s just progress for progress since the update itself it pretty easy to nullify by just adding the fallowing lines to the.htaccess file:
<IfModule mod_headers.c>
Header always edit Set-Cookie ^(PHPSESSID.*)$ $1;SameSite=None
</IfModule>
It will make the internet just a bit more unsecure.
But it’s at least a temporary fix at least until Google, Firefox and the others figure out how to do rollouts.
