A sibling department has created an HTML file that is effectively a scaffold for a handful of iframes. The iframes each call a report, which is hosted on a web server, with slightly different parameters. The called report will show a sign-on form to unauthenticated users, or the report contents to already-authenticated users.
scaffold.html:
<html>
<head>
<title>I just show the output from a bunch of report calls</title>
</head>
<body>
<iframe src="https://somesite.com/useful_report.html?parameter1=a¶meter2=1" id="iframe1"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=b¶meter2=2" id="iframe2"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=c¶meter2=3" id="iframe3"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=d¶meter2=4" id="iframe4"></iframe>
</body>
</html>
The sibling organization explained to us that if a user was signed on to https://somesite.com, the above setup worked great--each of the iframes would display the useful_report.html content...until a few days ago.
When I
each of the iframes returns the https://somesite.com sign on form. If I then open useful_report.html in a separate tab, the report content loads (proving somesite.com knows I am still signed on‡).
Using developer tools, I can see that the request headers to useful_report.html do not include the "Cookie:" attribute, so this explains why useful_report.html returns the sign on form.
My question is why are the iframe requests not sending cookies? What Chrome and/or server setting/policy/directive prevents it?
‡ - and now it knows that I know that it knows.
That's because of the SameSite cookie policy that Chrome defaults to Lax, meaning the cookies won't be sent unless the user can see the URL which excludes iframes.
If you own the somesite.com you can opt-out of this policy by setting SameSite policy to None and deal with the risk of CSRF attacks by Double Submit Cookie.