1

I have a page (runs on Tomcat) that needs to be displayed in iframe by other sites. This page's work depends on Javascript and cookies. It can also detects whether Javascript and cookies are enabled in the browser. I have the following html snippet in a test page (runs on Apache web server) showing the page in iframe

<div id="embedded-page">
<iframe referrerpolicy="no-referrer-when-downgrade" src="_link_to_the_page_on_Tomcat">
...
the page is displayedd in iframe
....
</iframe>
</div>

I use the above html in my tests. The page can be displayed correctly in FF, Edge, Brave and other browsers. Howeve, in Chrome, the page reports that cookies are not supported.

The page to display runs on Tomcat and is part of a Spring MVC website plus Spring Security. For Spring Security, I have the following setup:

<security:headers disabled="true"/>

how to prevent Chrome from disabling cookies in iframe?

curious1
  • 14,155
  • 37
  • 130
  • 231
  • 2
    I think it's related to the Cookie `SameSite` attribute. Did you take a look at that? https://stackoverflow.com/questions/45094712/iframe-not-reading-cookies-in-chrome – Marcus Hert da Coregio Jul 18 '22 at 18:23
  • @MarcusHertdaCoregio, thanks for your input! You are correct. I modified the way to set cookies and the issue is gone. Best. – curious1 Jul 19 '22 at 02:43
  • 1
    Glad it worked. I've added it as an answer to help folks who are facing the same problem. It would be nice if you could accept the answer – Marcus Hert da Coregio Jul 19 '22 at 11:56
  • That is a good idea! – curious1 Jul 19 '22 at 20:51
  • Hi, I am facing the same issue and have set sameSite: 'none' (I am using node) which still does prevent cookies from disabling in iframe. May I know what you did to fix your issue? – user121443 Jul 06 '23 at 10:12

1 Answers1

2

This is related to Cookie's SameSite attribute.

With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.

Quote taken from here.

You should try to set SameSite=None in your Cookie to make it work. After that, you can figure out what is the best value for the SameSite attribute. Take a look at this answer.

iframe not reading cookies in Chrome

Marcus Hert da Coregio
  • 4,635
  • 9
  • 27
  • It should be 'SameSite=None;Secure'. Without `Secure`, Chrome won't work. FF and other browsers seem more lenient. – curious1 Jul 19 '22 at 20:53
  • This link has more info about `SameSite=None;Secure` https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure – curious1 Jul 19 '22 at 20:58