Login/Register
"SameSite=none" does not work with iframe
Asked Answered
Solved google-chromecookiessamesite
C

5

17

After upgrade to Chrome Version 80.0.3987.132 cookies are not sent to the iframe request. On the Network tab (Chrome Dev tools), I do not see cookies for my requests.

After turning on the option "show filtered out requests cookies" I sees my cookies marked "This cookies was not sent due to user preferences."

The header for the cookie set:

set-cookie: token=jf23HaUI91Bd8L1chHq; expires=Wed, 18-Mar-2020 16:01:59 GMT; Max-Age=1799; path=/; SameSite=None; secure; domain=.example-domain.com; HttpOnly

When I open an iframe on the same domain everything works fine, but if it is a third-party domain via http or https, cookies will not work.

Has anyone come across this or know how to fix it?

Catholicon answered 18/3, 2020 at 16:12 Comment(3)
Is this over https? Over http I don't think this will work. You have the secure flag in your header, requiring a secure connectionCesarcesare
have the similar problem with: https + samesite=none;secure + iframe. cookies are not passed. did u find the solution @mikolay-betAsymmetric
it's been awhile no answer yet !Radicand
C
-9

Deselect Block third-party cookies on chrome://settings/content/cookies

Catholicon answered 18/3, 2020 at 16:55 Comment(1)
This is not a solution, you can't have all your users disable third-party cookie blocking !Khrushchev
W
0

I think you should ensure that SameSite flag is always set to None for those cookies. If it's initially set to Lax, and then you try to make it None, it may not work.

Also, you should ensure that Secure flag is always set to true for SameSite=None cookies.

Windhover answered 19/4, 2021 at 22:32 Comment(0)
B
0

If you are using iframe with https, sanbox your iframe to get cookies working:

referrerpolicy="strict-origin-when-cross-origin"
sandbox="allow-forms allow-modals allow-popups allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation"
allow="encrypted-media; fullscreen; oversized-images; picture-in-picture; sync-xhr; geolocation;"
allowpaymentrequest="true"
allowpopups
allowfullscreen

Not sure what else you will need.

And you also you or not need your service in the iframe to set cookies with extra params

Path=/; HttpOnly; Secure; SameSite=none
Borst answered 28/5, 2023 at 18:54 Comment(0)
P
-2

It works for me, setting cookie via PHP; This is a HACK for php < 7.3 (!)

session_set_cookie_params(3600*24, '/;SameSite=None', $_SERVER['HTTP_HOST'], true);

(secure = true is important)

Pewter answered 16/8, 2020 at 13:22 Comment(0)
B
-2

In case of hosting in IIS you can add below configurations in web.config to avoid adding SameSite=Lex by browser

<sessionState mode="InProc" **cookieless="UseCookies" cookieSameSite="None"** timeout="20"/>
Borgeson answered 24/9, 2020 at 12:58 Comment(0)
C
-9

Deselect Block third-party cookies on chrome://settings/content/cookies

Catholicon answered 18/3, 2020 at 16:55 Comment(1)
This is not a solution, you can't have all your users disable third-party cookie blocking !Khrushchev

© 2022 - 2024 — McMap. All rights reserved.