Loading
Upcoming Mandatory Changes to Public Key Infrastructure (PKI)Read More
Salesforce Enforces New Security Requirements in Summer 2026Read More

Google Chrome Browser Release 84 Changes SameSite Cookie Behavior and Can Break Salesforce Integrations

Publish Date: Jun 21, 2026
Description

Chrome changed the default cross-domain (SameSite) behavior of cookies coinciding with the stable release of Chrome 84 on July 14, 2020, with enforcement enabled for Chrome 80+. The SameSite attribute on a cookie controls its cross-domain behavior. If no SameSite attribute is specified, Chrome 84 sets cookies as SameSite=Lax by default. After the Chrome 84 release, developers can opt in to unrestricted use by explicitly setting SameSite=None; Secure.

When Will the Chrome SameSite Changes Go Live?

The SameSite changes coincide with the stable release of Chrome 84 on July 14, 2020, with enforcement enabled for Chrome 80+. If you prepared your org for Google's initial rollout in February 2020, no further action is needed.

    Resolution

    To prepare for Google Chrome's SameSite cookie enforcement, Salesforce orgs must require HTTPS connections, update custom integrations that rely on cookies for cross-domain communication, and explicitly set the SameSite=None; Secure attribute on cookies used cross-domain.

    What Does This Mean for Me?

    These SameSite changes may require you to make changes in your org:

    1. Cookies do not work for non-secure (HTTP) browser access, including any community, portal, site, or Outlook or Gmail integration in your org. Use HTTPS instead.
    2. Custom integrations that rely on cookies might no longer work in Google Chrome, particularly for cross-domain communication and integrations using iframes.

    What Do I Need to Do?

    1. Use HTTPS instead of HTTP
    To require HTTPS access in your org, ensure that the following Session Settings in Setup are enabled. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.

    • Require secure connections (HTTPS) — Determines whether HTTPS is required to log in to or access Salesforce.
    • Require secure connections (HTTPS) for all third-party domains — Determines whether HTTPS is required for connecting to third-party domains.

    2. Test custom Salesforce integrations that rely on cookies
    Before the Chrome 84 release, test any custom integrations that rely on cookies. If you find regressions, update the SameSite attribute on cookies used for cross-domain communication to explicitly set SameSite=None; Secure.

    What Does This Mean for Sales and Service in Lightning Experience?

    Salesforce updated the SameSite attribute on cookies set by Salesforce in Spring '20, applying to Chrome 78 and later. Test in a sandbox with the latest version of Chrome.

    What Does This Mean for B2C Commerce, B2B Commerce, Marketing Cloud, Pardot, and Tableau?

    Each cloud product has a dedicated knowledge article for SameSite impacts. See the Additional Resources section below for links to each product-specific article.

    Knowledge Article Number

    000381201

     
    Loading
    Salesforce Help | Article