I have a page (runs on Tomcat) that needs to be displayed in iframe by other sites. This page's work depends on Javascript and cookies. It can also detects whether Javascript and cookies are enabled in the browser. I have the following html snippet in a test page (runs on Apache web server) showing the page in iframe
<div id="embedded-page">
<iframe referrerpolicy="no-referrer-when-downgrade" src="_link_to_the_page_on_Tomcat">
...
the page is displayedd in iframe
....
</iframe>
</div>
I use the above html in my tests. The page can be displayed correctly in FF, Edge, Brave and other browsers. Howeve, in Chrome, the page reports that cookies are not supported.
The page to display runs on Tomcat and is part of a Spring MVC website plus Spring Security. For Spring Security, I have the following setup:
<security:headers disabled="true"/>
how to prevent Chrome from disabling cookies in iframe?
CodePudding user response:
This is related to Cookie's SameSite
attribute.
With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.
You should try to set SameSite=None
in your Cookie to make it work. After that, you can figure out what is the best value for the SameSite
attribute. Take a look at this answer.