chrome 80 - same-site settings - causing embedded page login issue

Submitted by tanya.percy_1867153 on Tue, 03/24/2020 - 10:25
1
0
-1

Starting February 4, 2020, Google Chrome will stop sending third-party cookies in cross-site requests unless the cookies are secured and flagged using an IETF standard called SameSite.

The above is causing issues on BPM with any embedded pages i.e. using iFrame.

The following flags need to be disabled.

  • Delay the commit to screen for same-origin navigations
  • SameSite by default cookies
  • Enable removing SameSite=None cookies
  • Cookies without SameSite must be secure

It is not a feasible long term solution as the above restrictions are put into place to limit vulnerabilities with cross-site requests.

Is there work in progress to manage the above when using Bonitasoft BPM.

Thank you.

Google Chrome same-site

Comments

Submitted by thomas.bouffard on Wed, 04/15/2020 - 12:14

Hello Tanya,

to help us to better understand your concern, can you please provide

  • the Bonita version you are using. At a given time, the latest 4 minor versions are supported (today 7.7.x to 7.10.x) and some users are still using older versions. As Bonita constantly evolves, especially in the frontend area, this info is very important, even if you think it is not relevant at 1st glance: the answer you get depends on the Bonita version. Notice that the issue you are facing may occur with a large range of Bonita versions
  • the use case you are trying to cover. Here you are providing technical elements, which are probably highly accurate, but without the context, it is hard to understand what you are trying to achieve and it is impossible to provide you workarounds or alternate solutions if they exist. For instance (the example may not be related to your issue), this could be "I am developing an UI Designer page, I include this and I see this error, probably due to that technical Browser change"

Regards

Thomas

Permalink
2 answers

Submitted by julien.mege on Tue, 06/16/2020 - 13:12
1
0
-1

Hello,

here some news regarding this Same-site update,

we just published a blog post : https://community.bonitasoft.com/blog/manage-web-browsers-new-cors-behavior,

to explain more what happens, and how to manage the possible side effects.

Hope this helps,

Julien.

Submitted by julien.mege on Thu, 04/16/2020 - 10:55
1
0
-1

Hello,

Thanks for the warning. We are closely following this subject.

Since the latest event related to COVID-19, the Chrome team has postponed the rollout of this new behavior.

https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html

Stay tuned, we might have some news regarding "SameSite" cookies in our next release 7.11 release (June 04 2020)

We will let you know on this topic, as soon as we have more information about this.

Notifications