chrome 80 - same-site settings - causing embedded page login issue
Starting February 4, 2020, Google Chrome will stop sending third-party cookies in cross-site requests unless the cookies are secured and flagged using an IETF standard called
The above is causing issues on BPM with any embedded pages i.e. using iFrame.
The following flags need to be disabled.
- Delay the commit to screen for same-origin navigations
- SameSite by default cookies
- Enable removing SameSite=None cookies
- Cookies without SameSite must be secure
It is not a feasible long term solution as the above restrictions are put into place to limit vulnerabilities with cross-site requests.
Is there work in progress to manage the above when using Bonitasoft BPM.
to help us to better understand your concern, can you please provide
- the Bonita version you are using. At a given time, the latest 4 minor versions are supported (today 7.7.x to 7.10.x) and some users are still using older versions. As Bonita constantly evolves, especially in the frontend area, this info is very important, even if you think it is not relevant at 1st glance: the answer you get depends on the Bonita version. Notice that the issue you are facing may occur with a large range of Bonita versions
- the use case you are trying to cover. Here you are providing technical elements, which are probably highly accurate, but without the context, it is hard to understand what you are trying to achieve and it is impossible to provide you workarounds or alternate solutions if they exist. For instance (the example may not be related to your issue), this could be "I am developing an UI Designer page, I include this and I see this error, probably due to that technical Browser change"
here some news regarding this Same-site update,
we just published a blog post : https://community.bonitasoft.com/blog/manage-web-browsers-new-cors-behavior,
to explain more what happens, and how to manage the possible side effects.
Hope this helps,
Thanks for the warning. We are closely following this subject.
Since the latest event related to COVID-19, the Chrome team has postponed the rollout of this new behavior.
Stay tuned, we might have some news regarding "SameSite" cookies in our next release 7.11 release (June 04 2020)
We will let you know on this topic, as soon as we have more information about this.