0

We want to open our website in tag, But It not happen with the latest chrome browser. I have tried various solutions for that but still I am not able to open our website in in chrome. When I run the code In another browser login page open and we are able to login, but in chrome login page open but not able to login. there are no exceptions in the browser console.

If anyone Knows Please Reply

This is the filter where I set the cookies

 @Configuration
 public class IFrameFilter extends GenericFilterBean {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        ((HttpServletResponse) response).setHeader("Access-Control-Allow-Origin", "*");
        ((HttpServletResponse) response).setHeader("Set-Cookie", "locale=de; HttpOnly; SameSite=None; Secure");
        chain.doFilter(request, response);
    }
}  


//Html code base 

<!DOCTYPE html>
<html>
<body>

<h1>The iframe element</h1>

<iframe src="https://devs.smart360.biz/" title="W3Schools Free Online Web Tutorials"
    style="width:500px;height:500px;">
</iframe>

</body>
</html>
Abhijit Yadav
  • 39
  • 7
  • It first come to the website which has the iframe tag. do the website coming from the same domain? A little reading for the security issue [Setting cookie in iframe](https://stackoverflow.com/questions/2117248/setting-cookie-in-iframe-different-domain) – Joshua Ooi May 08 '21 at 13:33
  • but It will work in other browser so how we says Its security issue – Abhijit Yadav May 09 '21 at 10:23

2 Answers2

1

There have been numerous changes in Chrome (and other browsers) regarding cookies and iframe.

The basics of what is changing is there is now a 'SameSite' cookie policy, where Only cookies set as SameSite=None; Secure will be available in third-party contexts, provided they are being accessed from secure connections.

Also in safari, the third-party frame will have to request access to the storage API before the cookie will be accessible.

Firefox is using a partitioned approach to the storage, and so the frame will behave as normal unless you then open your application as a new window then the cookie store may or may not follow depending on how the new window was created.

Cookie Status is an excellent resource to track how third party cookies work in the different browsers and what you should change to make it work.

pfranza
  • 3,292
  • 2
  • 21
  • 34
0

It seems you use Spring Security and it sets X-Frame-Options: SAMEORIGIN response header.

You could use ALLOW_FROM uri instead of SAMEORIGIN to whitelist URIs which could embed your site. Or remove this header completely to whitelist it from everywhere.

Read https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options for more details.

martin-g
  • 17,243
  • 2
  • 23
  • 35