Search code examples
c#google-chromeiframelocal-storagesamesite

After Chrome update in Feb 2020 for SameSite related issue, my IFrame still has issues even after following web config suggestions for .NET

So a client's client's issue is in an IFrame:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  "http://www.w3.org/TR/html4/loose.dtd">    
<html>

<head>
<title>HTML Test</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>

<body>

<p>Below is an iframe.</p>
<iframe src="*LinkWithDirectAuthenticationHere*" width = "800" height = "800">
 <p>iframes are not supported by your browser.</p>
</iframe></body>
</html>

Once the user is authenticated, the user is redirected back to login page because the localstorage containing the logged user details is returning empty due to the website being in an IFrame (signing out automatically). This was okay before the Chrome Feb 2020 update.

The version of google chrome I am using is 80.0.3987.149
For some reason, even if my other colleagues has the same version, they are not experiencing this issue. Already uninstalled all my plugins and cleared cached and logged out of chrome, the issue persist in my browser (I am the only one currently able to replicate my client's client's issue)

After setting this in my browser, I didn't have the issue anymore: SameSite by Default Cookies Disabled

However, this is not the proper solution.. So I try and did the following on my .NET app:

  • Updated the framework from 4.5.2 to 4.7.2
  • Bruteforce added in header (for now) Code Owin SameSite None
  • Added this but no idea yet what the pre existing options should be:
    Code OpenIdConnectAuthenticationOptions SameSiteCookieManager
  • Added the following on web config: enter image description here
  • Not sure why this attribute is not allowed: enter image description here

I have these as warnings when testing the application on my localhost: enter image description here

Please note that disabling samesite by default cookies fixed the issue, but I have to take actions that the user does not have to change their settings and continue on like before.

Additional Note:

  • I am not experiencing this issue on Internet Explorer, FireFox and Opera
  • The link does not have issue when it is not on an IFrame
Solution

  • At the moment Chrome enforces new policy only for subset of users so your colleagues might see different results.

    I assume you have checked the Chrome Application => Storage => Cookies view and confirmed your cookies come back with SameSite=None and Secure set up? enter image description here

    If so, you might need to move your iframe over to https (looking at your screenshot it appears to be HTTP now) as Secure instructs Chrome to only send this cookie over secure connection. To test whether this is your case, try disabling chrome://flags/#cookies-without-same-site-must-be-secure