Browser uses samesite=lax even if samesite=none is specified
I am trying to embed my angular application to another site through iframe. In my angular application I am setting cookies and so when I try to embed the angular application to my other site, the Devtools shows an issue which tells me, that samesite=none wasn't set so the default samesite=lax is being used, which prevents the angular application to set cookies.
Afterwards I tried to set in the response Header the entry "set-cookie: samesite=none; secure", but it didn't work. As you can see on the screenshot below, the browser still uses "same-site=lax".
This issue happens on Chrome and Edge(Chromium) but not in Firefox.
Questions:
- I want to know if I am using the same-site setting incorrectly?
- Why does the browser show me this message although I use "samesite=none;secure"?
Screenshot:
Problem
You're misunderstanding Set-Cookie's syntax, and you've mistakenly omitted the cookie's name and value. Check out the MDN page on the topic:
A cookie definition begins with a name-value pair.
Accordingly, when the browser receives a response with the following header,
set-cookie: samesite=none; secure
it creates (or updates) a Secure cookie whose name is samesite and whose value is none. Because the SameSite attribute isn't specified and because Chromium now defaults to Lax for the SameSite attribute, the resulting cookie is effectively marked SameSite=Lax by your browser.
Solution
To fix this, you must choose a name and a value for your cookie and you must specify the cookie's name and value before any other cookie attributes:
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=None; Secure
- Frame Buster Buster ... buster code needed
- Javascript postMessage not working in a ReactJS app with iframes
- iframe and external website
- How to hide status bar in Microsoft office online viewer
- iframe shows blank page while waiting for new page to load whereas without iframe it doesn't
- Get current URL from IFRAME
- What are technical requirements in order to make "Recommend This Site" button work properly
- How do you disable copy paste within an iframe?
- How do I enable Feature/Permissions Policy in an iframe in Google Add-ons?
- Cancel long running IFRAMEs
- How to postMessage into iFrame?
- How to use Iframe in react native?
- Is there a way to change context to iframe in javascript console?
- Iframe content blocked
- How to get HTML from a cross origin iframe using WKWebView?
- Pgadmin interface within a iframe
- Why are iframes considered dangerous and a security risk?
- Changing the order of PlatformViews (iFrame) in a Stack causes the render to fail
- Getting around X-Frame-Options DENY in a Chrome extension?
- Resize external website content to fit iFrame width
- How do I set content of iframe with Javascript?
- Browser won't let the iframe do the redirect?
- Youtube embed live chat is not working on mobile (recently)
- Passing URL parameters to iframe
- iFrame not loading URL
- how to open different URLs in iframes using JavaScript and HTML buttons
- URL length problems on iFrame
- Pause YouTube iframe embed when playing another
- How can I add a button to an iframe to close it?
- List of Soundcloud iframe parameters?