Browser blocks cross domain iframe cookies - django

I have a forum-like component which I use in an iframe on other websites. This component uses django-allauth for authentication with Facebook and Twitter. Everything worked fine but now the authentication stopped working some time ago. When I look at the cookies in my browser, the cookies from Facebook/Twitter which are set by the iframe, are not loaded. Although, the cookies from the component itself are set.
The authentication still works when I load the iframe on a website which is on another subdomain of the component itself.
Tool on another subdomain (working):
https://shop-sandbox.adbuddy.be/discussie/
Tool on a totally different domain (not working):
https://mama-calinka.webbuddy.be/discussie/
I guess this problem had something to do with CORS-headers but nothing I've tried helped. Can someone help me with this problem please?

If this stopped working only very recently, it could be related to the Chrome's recent breaking change , that in case cookie's attribute SameSite is not explicitely set it defaults to SameSite = Lax, which prevents your browser in cross site requests to sent the cookie over.
I checked your https://shop-sandbox.adbuddy.be/discussie/ - there are many cookies with SameSite empty.
There could be a couple of more reasons, why a browser ignores a cookie in the request and I tried to sum all of them in my blog here

Related

Unable to set cookie on Safari (Works on Chrome)

Hi I have been creating my first MERN stack web application and deployed frontend and backend on separate domains.
Frontend (netlify) : example.netlify.app
Backend (heroku) : example.herokuapp.com
Github (this is my repository, just in case) : https://github.com/dbwjd5864/YumPlan
So getting cookies from Backend and storing in order to request another api calls with cookies worked fine with Chrome (I haven't tried yet with Firefox but I believe it works as well)
However, when I tested it with Safari, I can see cookies on response but it was not stored for later request, so I couldn't get authorized. However, when I uncheck Prevent cross-site tracking under Safari preferences, I could get cookies for the later API calls.
I guess this is a cors issue which came from Safari property. I spent so much time to find a way to solve it but I couldn't. Is there any way to make it possible for Safari users to get login and set token on different domains?
Or Should I just use the same domain, for example, I deploy the frontend and backend on Heroku together to use the same domain?
I really appreciate any help you can provide.

Web server cookie changes not working from iframe in Chrome with SameSite=None

I have a web app that is used in an iframe (it is a Word Office add-in).
The iframe app has a simple logout link (e.g., https://www.example.com/logout) to clear the session cookie. This logout link:
works outside of the iframe in all browsers
works in the iframe in Safari and Firefox, but
doesn't work in the iframe in Chrome even though I've set SameSite=None.
My session cookie has the following settings:
Not permanent (though lasts a long time)
SameSite=None
Secure
HttpOnly
Domain is example.com instead of www.example.com but I don't think this is the issue
Here is a screenshot in case you don't believe me :):
Googling for this returns a ton of hits recommending to set SameSite=None but I've already done that.
Any idea why the web server can't change the cookie from the iframe?

why browser isnt storing a cookie created in a subdomain, in the referer subdomain?

i'm facing a few problems when i authenticate usign cookies to store the token, those cookies should be delivered between subdomains, for example, i have my auth code deployed in a subdomain named services.mydomain.co and my frontend in subdomain named apps.mydomain.co,
when someone authenticates, then my auth code creates a cookie with the tag Domain like this: Domain=.mydomain.co in order to enable it to be delivered between all subdomains of mydomain.co, but the cruel reallity is that it is not working, even the browser isn't storing the cookie.
the cookie it's successful delivered in response header after authenticate but the browser isn't storing it.
im creating the cookie this way:Set-Cookie: myKey=myKeyValue;path=/;httpOnly;Max-Age=1555520000;Domain=.mydomain.co;sameSite=none
hope someone could geve me an advice and sorry for bad english.
From your example, you are setting SameSite=None without Secure. This is invalid and browsers (Chrome, Edge, Firefox, etc.) will begin rejecting this.
However, you should check DevTools in Chrome on your site to see the specific error. You can check both the Console and individual requests in the Network tab to see issues with a given cookie.
You can find more detail on https://www.chromium.org/updates/same-site/test-debug

Reading cookies with "Samesite=None;Secure" from iframe in Safari 13

I have an iframe where I use cookie authentication. The cookie is set normally on my domain when users log in. I use SameSite=None;Secure. The problem is that when a third party website embeds an iframe from my domain, my authentication cookie is not passed so the iframe cannot authenticate the user.
This works fine in Chrome and Firefox, but doesn't work in Safari (and it used to work up until about a month ago)
I'm aware of the Webkit bug with SameSite=None, which was supposedly fixed in Safari 13. I know that Safari is no longer allowing iframes to set third party cookies (this has been the case for years, so I don't see how it could be related to this recent change). However, I'm not trying to set a cookie - I just want to read it. Until recently, this was possible (see this SO question).
Until Safari 13, there was a workaround that allowed people to set third-party cookies by redirecting the top page to the cookie-setting domain and then going back to the original page. In this case the iframe would be able to see the cookie (because again, the iframe couldn't write but it could read cookies.
I tried setting a secondary cookie with no SameSite attribute, as these were supposed to work, but it's still not being sent.
Is Safari now completely dropping cookies regardless of whether SameSite is set or not? If so, why did they bother to fix the SameSite bug? Something doesn't add up.
Update:
It seems to be related to Apple's ITP 2, which sets strict standards on third-party cookies and even discriminates between domains based on which domains they deem likely to do bad tracking: https://www.seerinteractive.com/blog/what-is-intelligent-tracking-prevention/
So from what I've been gathering, these seems to be no way to circumvent the situation.
Update 2:
I think I might have found a reliable solution in Webkit's Storage Access API: https://webkit.org/blog/8124/introducing-storage-access-api/

How to create a cookie on a Google site?

I created a Google site page with 5 links on it. Is it possible to create on my site a script or something that stores in a cookie the link on which the user has clicked, and then the next time he will connect to the page, he will be automatically redirected to the link he clicked on ? For information, the user connect to the site with his Google email account.
How can I do that please?
Thank you very much in advance for your help
While it is possible to read cookies and redirect using JavaScript inside a Google Page (using widgets), browsers will not allow you to set cookies for a completely different domain for obvious security reasons.
Related:
How to set a cookie for another domain
Cross-Domain Cookies
What's your favorite cross domain cookie sharing approach?
You could theoretically try and send an AJAX request from the Google Page with a "where should I direct this user to?" and expect a URL or a null.
See:
CORS $.ajax session cookies (access-control-allow-credentials & withCredentials=true)
Cross domain POST request is not sending cookie Ajax Jquery
But overall, your task is not as straightforward as it may seem. The browser will, fortunately, not play along.