we are trying to set the samesite=none;secure in shopify app which is opening in iframe but we realised that it is being blocked by google chrome.
we are testing chrome 80 beta
we tried javascript and php but nothing is working.
app is embeded app and loading in iframe
here is php code
header('Set-Cookie: nameee=value; Max-Age=100; Domain=xyyyyy.com; Path=/; SameSite=None; secure;');
we tried java script also
document.cookie = "nameee=value;SameSite=none;secure;Domain=xxxx.com;Max-Age=100;path=/;";
our cookies are listed in blocked category here
https://imgur.com/g5tznq8
any help will be great. we followed all online articles but we can see our cookies are in blocked category for chrome
if you are using Shoify app gem, and dont want to upgrade your shopify_app or shopify api lib you can install this rails_sate_site_cookie gem
https://github.com/pschinis/rails_same_site_cookie
Two things I would look into; Is the environment protocol HTTPS? It needs to be for the 'Secure' cookie attribute to work, and then SameSite. Also the 'Secure' attribute needs to be Uppercase S... Secure
Lowercase/uppercase does not matter.
The most likely cause is that third party cookies (including your cookies, as they are for a cross-site iframe) are being blocked entirely. In your screenshot it says "third-party cookies are being blocked without exception".
Try going to chrome://settings/content/cookies and turning off third-party cookie blocking (or add an "Allow" entry for your site).
(This page has some information on testing and debugging SameSite cookies: https://www.chromium.org/updates/same-site/test-debug)
Related
I have jupyterhub(TLJH) running on my AWS. It is served on my site using an iframe. Since the latest chrome update, the "SameSite" cookie attribute is causing the following issue. The below image shows what I see in the Iframe
Given below is the warning I get in my console:
A cookie associated with a cross-site resource at http://www._____.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
When I disable the SameSite attribute in chrome://flags/, the iframe loads perfect.
I understand that I need to edit my cookie settings to add {SameSite=None; Secure} somewhere in jupyterhub, but I don't know where.
It looks to me as if you may be able to use the cookie_options setting to add SameSite=None; Secure to the cookies, but I am not 100% sure.
I've raised https://github.com/jupyterhub/jupyterhub/issues/3117 to ask the team to validate.
I could make it work only by making my server map to a subdomain. For example, say the main website which has the Iframe embed is www.mydomain.com, I had to map my Jupyter server to "subdomain.mydomain.com" to make it work.
It is obvious that the above approach was possible because the page I was trying to embed was owned by me. Hoping for an answer for the other scenario!
You can use jupyterhub proxy give your server a domain name like "http:***.mydomain.com" .But this must be subdomain of your site("http://www._____.com/")
I have a web app located on domain A which contains an iframe on domain B. The request to the src on domain B has some Set-Cookie headers. If i load this web app with Safari, or chrome, I can see the cookies set from the iframe request in developer tools. However, if i visit the same page on the iOS simulator (iOS 12), the cookies are not set and I get auth errors (due to missing cookies). I haven't had any luck finding anything online about this behaviour so I have no idea how to work around it. I feel like I must be missing something because this seems like it would be a giant missing feature.
Unfortunately, i haven't had time to setup a simple reproduction for this issue.
Any kind of advice would help.
The issue is with Safari iOS do not allow setting cookies from domain B, unless you "explicitly visit" B. Workaround is to visit the iframe domain and set blank cookie there, then bounce back to original A domain. Afterwards your "Set-Cookie" directives or whatever you use to set cookies will be allowed by iOS.
Check out this solution and discussion (also includes reproduction setup):
https://gist.github.com/iansltx/18caf551baaa60b79206
I'm working on an browser extension that authenticates with a remote server via XMLHttpRequests. In Firefox (59.0.2) I have the problem that the session cookie send by the server is not stored in the browser. When looking at the network traffic I get a Set-Cookie response from the server for every request:
Set-Cookie JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0;Path=/
but it seems that the cookie is never accepted or stored in the extension.
When looking at Chrome (where the extension is working) my extension includes this cookie in the request:
Cookie: io=jCX1X9rlaOhCqE0nAAAB JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0
However, this is not the case in Firefox. Why is Firefox is not including the cookie in the request? and why is it not storing the cookie?
UPDATE: as suggested I filed a bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1454806
Furthermore, I created a very minimal example addon that fails:
https://gitlab.com/czeidler/firefox-cookie-problem
Could somebody please let me know if that addon really should work? or am I doing something wrong? To trigger the problem open the debug view of the addon and select the network view. Then click the addon popup icon. This will trigger two requests to my server. The first reply contains a Set-Cookie header that is not reused in the second request.
I found the reason why it is not working. Firefox handles a request from the popup as a cross domain request and does not set the cookie for this reason. Not sure if Chrome and Firefox should behave the same here or which approach is the better one. Here is how I fixed this issue to make it work in both browsers:
On the server:
response.addHeader("Access-Control-Allow-Origin", request.getHeader("Origin"))
response.addHeader("Access-Control-Allow-Credentials", "true")
In the popup:
connection.withCredentials = true;
Is there a way to prevent websphere from sending cookies in a response on a per request/url basis?
Our users get a link which allows them to download a file. Works fine in all major browsers except for IE8 & IE7. In IE7 & IE8, the file download breaks when cookies are sent with the response.
When a new session is created, the WebSphere sends a JSESSIONID cookie, and sets Cache-control to no-cache=set-cookie. This causes the download process to break in IE8 and lower.
Things I tried:
1) I know that no-cache=set-cookie can be turned off in Websphere admin console, but it's not an option.
2) The websphere is fronted by a web server, so the response headers can be changed using the web server, but it's not really an option.
3) I created a servlet filter, but it seems like whatever websphere does happens after the filter runs.
4) I created a JSP page that would prompt file download on load. The idea was that the cookie will be exchanged on page load, so that it won't interfere with the download. Unfortunately, because the download is triggered through JavaScript, IE blocks the download, and a user needs to manually approve it.
Is there any way to make it work?
IE8 has bug that may connected with your problem. Bug description. stackoverflow
I solved similar problem using good article.
I am having a problem viewing a cookie value in Safari 6 developer tools. Just to be clear - the cookie works fine. I can see/fetch/echo the value of the cookie on the page. However, I can't see it in the Storage section of Web Inspector.
I'm wondering if the problem is multi-level subdomains. We have these:
www.domain.com
sub.domain.com
www.dev.int.domain.com (accessible only while on VPN)
We want this cookie accessible to all the domains, so we set a domain-level cookie like so (example):
Set-Cookie: UserLoginCookie=someencryptedvalue; Domain=.domain.com; Expires=Sun, 23-Mar-2014 00:02:56; Max-Age=31104000; Path=/; Version=1; HttpOnly
I'm looking in Web Inspector, in the Storage section, under Cookies.
When I load www.domain.com, I see the UserLoginCookie in the list.
When I load sub.domain.com, I see the UserLoginCookie in the list.
When I load www.dev.int.domain.com, I do NOT see the cookie, even though I can read/set it.
I've tried to google for this and search stackoverflow, but I've gotten nowhere. Does anyone know if this is a Safari bug or if there's just a step/option that I'm missing somewhere?
Thanks in advance for any help.
I am guessing this is a Webkit based bug that Safari has yet to fix - Webkit Developer Tools does not show parent domain cookies?
There is no easy way to do it as Safari removed the ability to see individual cookies from the Security tab: "Show Cookies" button missing as per this HOWTO. I have also tried the "Safari Cookies" plugin but it does not work as the cookie list did not refresh for me.
I've resolved to inspecting cookies with the 'document.cookie' in the developer console.