How Samesite cookie settings works with iframes

Question 1

I have to embed a page with iframe to a different domain page. enter image description here

This iframe is loaded with a jwt token that authenticates the user in domain B.

This response, creates a session cookie and reloads the page (from domain B to domain B page) of the iframe.

This process works for Firefox, but doesn't work for Chrome because the setcookie is refused due to SameSite settings.

Probably I did not understand the SameSite settings because the authentication happened starting from domain B to domain B so I cannot understand why SameSite Lax is not valid for Chrome.

Question 2

Are both A and B running https?

Question 3

Yes they are https

Question 4

Browsers employ two mechanisms to deny a page from domain B access to its cookies when it is embedded (iframed) within a page from domain A, if A and B are from different sites, for example, A = example.com and B = myapp.org.

The first mechanism has been in force for a few years: To be accessible, the cookie must have SameSite=None. The SameSite cookie attribute is not only evaluated during page embeddings, but also during navigation from a page from A to a page from B. For navigation, SameSite=Lax would be sufficient, but what blocks you is the embedding, not the navigation.

The second mechanism is much more far-reaching, since it does not depend on an attribute like SameSite (which the server controls), but is controlled by the browser alone: third-party cookie blocking. This is currently being rolled out by Chrome (and other browser vendors, though perhaps not yet Firefox) under the "privacy protection" headline.

Privacy-preserving alternatives to third-party cookies are partitioned cookies (which are valid in one embedding, but not across embeddings) and the storage access API (whereby the user is prompted to grant access to the third-party cookies).

Heiko Theißen 18.3k2 gold badges14 silver badges50 bronze badges · Accepted Answer · 2024-10-11 16:09:40Z

Browsers employ two mechanisms to deny a page from domain B access to its cookies when it is embedded (iframed) within a page from domain A, if A and B are from different sites, for example, A = example.com and B = myapp.org.

The first mechanism has been in force for a few years: To be accessible, the cookie must have SameSite=None. The SameSite cookie attribute is not only evaluated during page embeddings, but also during navigation from a page from A to a page from B. For navigation, SameSite=Lax would be sufficient, but what blocks you is the embedding, not the navigation.

The second mechanism is much more far-reaching, since it does not depend on an attribute like SameSite (which the server controls), but is controlled by the browser alone: third-party cookie blocking. This is currently being rolled out by Chrome (and other browser vendors, though perhaps not yet Firefox) under the "privacy protection" headline.

Privacy-preserving alternatives to third-party cookies are partitioned cookies (which are valid in one embedding, but not across embeddings) and the storage access API (whereby the user is prompted to grant access to the third-party cookies).

CollectivesTM on Stack Overflow

How Samesite cookie settings works with iframes

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Linked

Hot Network Questions

CollectivesTM on Stack Overflow

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Linked

Related