HttpFixerFixCookies → SameSite=None without Partitioned
Critical

Fix: SameSite=None Cookie Blocked Without Partitioned

Updated April 2026

Audit your cookies automatically. Cookie Partitioning Auditor →

Chrome 118+ silently blocks SameSite=None cookies that don't include the Partitioned attribute in third-party context. No error in your console. The cookie just disappears.

What's happening

Your Set-Cookie header looks like this:

Set-Cookie: session=abc; SameSite=None; Secure

Chrome 118+ requires the Partitioned attribute on any cookie that needs to work when your site is embedded in another site's context:

Set-Cookie: session=abc; SameSite=None; Secure; Partitioned
Why it's silent: Chrome doesn't show an error. The cookie is set successfully in first-party context (your own domain). The failure only happens when your page is loaded inside an iframe or fetched cross-site. You won't see it until a user reports a broken embed.

Fix by framework

Express / Node.js

res.cookie('session', value, {
  sameSite: 'none',
  secure: true,
  partitioned: true,  // adds Partitioned attribute
  httpOnly: true,
  path: '/',
});

// Or via raw header:
res.setHeader('Set-Cookie',
  'session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/'
);

Next.js App Router

// app/api/route.ts
// cookies().set() doesn't support Partitioned yet — use raw header:
import { NextResponse } from 'next/server';

const response = NextResponse.next();
response.headers.append(
  'Set-Cookie',
  'session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/'
);
return response;

Nginx

# In your server or location block:
add_header Set-Cookie "session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/" always;

# Or if proxying upstream, use proxy_cookie_flags:
proxy_cookie_flags session secure samesite=none partitioned;

Cloudflare Workers

const response = await fetch(request);
const newResponse = new Response(response.body, response);
newResponse.headers.append(
  'Set-Cookie',
  'session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/'
);
return newResponse;

Which cookies need Partitioned?

Use caseNeeds Partitioned?
Session cookie on your own domainNo — first-party, not affected
Cookie set by an embedded widgetYes — third-party context
Auth cookie for an API called cross-siteYes — cross-site request
Preference cookie on your own domainNo — first-party
Related: Chrome blocking third-party cookies SameSite=None requires Secure Express Partitioned cookie CHIPS guide Cookie Partitioning Auditor
Audit your cookies → Cookie Partitioning Auditor