[FIXED] Why Netflix stopped working on TwoSeven

Update (2020-03-26): If you’re on v2.1.5.2 or greater, you don’t have to follow these instructions. If you’re still having trouble accessing Netflix on TwoSeven, get in touch with us!

Recently, Netflix marked a couple of cookies with an additional flag: SameSite=Lax. This innocent-looking change completely broke the TwoSeven extension’s ability to embed Netflix.

You will need extension version v2.1.5 or greater to get Netflix to work. This version is already available on Firefox and Chrome. This post discusses cookies, how they work, recent changes to their behavior, and finally, what you need to do to get Netflix to work on TwoSeven.

As a result of this change by Netflix, users were left with Netflix’s login screen, and no matter how many times they try to login, it would simply show them the same login screen again—understandably leading to anger and frustration.

Unfortunately, the two cookies that were modified were ones that denote the login session. As a result of the change, they were no longer being sent as part of browser requests to netflix.com. This in turn led Netflix to believe that the user was not logged in.

What are cookies?

Cookies are among the easiest methods available for websites to save tiny bits of information on a user’s browser. While cookies themselves are not inherently malicious in any way, they can be used by websites to track/profile individuals in a very effective manner. Generally, cookies can be of two types: first-party cookies and third-party cookies. Let’s say you visit website-A. Any cookie set by website-A would be considered a first-party cookie. However, if website-A contained ads, then a request was made to, say, website-ADS to load ads. When your browser makes this request, website-ADS may ask your browser to store some cookies on its behalf as well. These cookies would be considered third-party cookies, since website-ADS does not match the website you visited (website-A).

How does this help tracking individuals?
Consider a scenario where you visit Amazon to do some shopping. You browse through a few items, and then you decide to check your Facebook. Unknown to you, Amazon made a request to an ad website which stored a cookie on your browser. Now, if Facebook also makes a request to the same ad website (almost certainly already taking place), then the ad website can now uniquely identify you using the cookie it stored earlier. As a result, you will potentially start seeing ads on Facebook that are highly relevant to your recent Amazon activity.

SameSite and the death of the third-party cookie

Google plans to phase-out third-party cookies entirely to prevent cross-website tracking like the scenario described above. One of the ways in which they achieve this is by adding a new attribute to cookies—SameSite. The SameSite attribute can contain one of three values: None, Lax, Strict. Cookies marked with SameSite=None will be accessible to third-party websites, but only if it is also marked with secure=true. On the other end of the spectrum, cookies marked with SameSite=Strict are treated as first-party cookies, and are not sent on any requests made to other domains—thereby eliminating cross-website tracking. Finally, cookies marked with SameSite=Lax is sort of the middle-ground. These cookies will only be sent on top-level navigations. This is important, since when Netflix is embedded within TwoSeven, loading of netflix.com isn’t considered a ‘top-level navigation’. As a result, the cookies that identify the logged-in user are never sent across.

Initially, cookies with no SameSite attribute were being treated as SameSite=None, and thus continued to work in all cases. However, in February this year, Chrome also began treating cookies with no SameSite attribute as SameSite=Lax. All of this required the TwoSeven extension to come up with a strategy to deal with these changes to cookies.

How we deal with SameSite

TwoSeven has two ways of dealing with SameSite. First, through the extension settings, it allows users to configure the domains on which to work around SameSite restrictions. These workarounds only apply when the configured domains are embedded within twoseven.xyz. In other words, adding netflix.com to this list will make no difference until netflix.com is embedded within twoseven.xyz.

When the extension updates to v2.1.5 or is installed fresh, it creates a new cookie store. When a website is added to the list, all cookies associated with the website are copied over to TwoSeven’s special cookie store. Later, when the same website is embedded within twoseven.xyz, and makes requests, these cookies are attached to those requests. This way, Netflix gets to know about the cookie that identifies you and validates your Netflix profile.

What you need to do

To enable Netflix to work on TwoSeven, first, open the extension settings page, and add netflix.com domain to the ‘Bypass “SameSite” restrictions’ list. Once we do this, the TwoSeven cookie store gets automatically populated with existing Netflix cookies.

Now, simply refresh your twoseven tab for changes to take effect. Here’s an end-to-end video of the entire process:

Last resort

If all else fails, try toggling the Override cookies to SameSite=None switch. Note that this should be used as a last resort, as this essentially reverts your browser to a pre-SameSite era, where all of the cookies are accessible for cross-website tracking. There are also potential security implications from making this change, as your cookies may be exposed to malicious domains. Currently, there is no safe way to undo this change. You would need to clear your cookies for the website in question.

Known issues

There are a couple of known issues with this approach:

Unable to login when Netflix is embedded on TwoSeven

There is a workaround for this issue:

  • Log into Netflix in a new tab
  • Open extension settings
  • Add netflix.com to the list of domains which to bypass SameSite restrictions
  • Refresh existing TwoSeven tab or load a new one
  • Open the Netflix tab on TwoSeven.
  • It should take you to the profile selection page
Cannot change Netflix profile in Netflix embed

There is no known fix for this issue. We’re currently investigating why this is the case, and hope to fix it at a later point in time.

Your session has expired / Something went wrong

If you see an error that you’re not able to get past, or if your Netflix feels broken, simple visit https://www.netflix.com/clearcookies. That should clear out all Netflix cookies, and allow you to log in properly.

Let us know if you’re facing any other difficulties or issues in logging into websites when they’re embedded on TwoSeven.