We have a webapp that embed another webapp on a different site in an iFrame. This had been in place for a few years already. Last week we started to get error reports from some users. After investigation we found that on Chrome 84.0.4147.125, released Aug 10, 2020, the cookies in the iFrame are not sent back to the server. The issue only occurs since this chrome version. Older versions and other browsers are working fine.
What has changed in this release that could have this impact?
Thanks @Eyal.D for pointing to the solution.
As stated in https://stackoverflow.com/a/45095345/1401409 :
Chrome now blocks cookies without
SameSiteset, so you need to explicitly set it tosamesite=none.
I was able to fix this by adding the following in my httpd configuration:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
I would add, as stated in https://stackoverflow.com/a/57874184/1401409 :
If you own the somesite.com you can opt-out of this policy by setting SameSite policy to None and deal with the risk of CSRF attacks by a doing Double Submit Cookie.