[Logo] Enterprise Client Community
  [Search] Search   [Recent Topics] Recent Topics   [Members]  Member Listing   [Groups] Back to home page 
[Register] Register /  [Login] Login 
Problem with security-cookie (update 20220328): scenario: CC-page called in IFRAMEm Chrome browser  XML
Forum Index -> Development
Author Message
[Post New]06/04/2022 08:36:52
    Subject: Problem with security-cookie (update 20220328): scenario: CC-page called in IFRAMEm Chrome browser
[Up]
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5515
Offline
Hi,

we just stumbled over one scenario, in which we get security exceptions that are causes by update 20220328's mechanism to always send+expect a corresponding cookie from the browser side.

What is the problem scenario:
1. Chrome (Firefox works fine)
2. CC-page is started inside an IFRAME of another page (the other page might be a normal HTML page or a CC page)

Background: Chrome seems to not store cookies for pages that are started inside an IFRAME!

If you are in this scenario then switch off the new 20220328-function by configuring the corresponding filter to be not active:

Code:
 <system>
   ...
   <filterconfiguration 
         active="true"
     	classname="org.eclnt.jsfserver.util.SecurityFilterGeneral" />
   ...
 </system>
 
 Thanks a lot to the community member having triggered us!
 
 We will keep you updated.
 
 Kind regards, Björn
Björn Müller, CaptainCasa GmbH
[Post New]06/04/2022 18:58:59
    Subject: Re:Problem with security-cookie (update 20220328): scenario: CC-page called in IFRAMEm Chrome browser
[Up]
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5515
Offline
Some more information on this:

It has to do with security issues + the way the browser accepts cookies from embedded components.

So:

1. the problem only occurs if embedding page and embedded page are not loaded from the same "origin" (origin means "protocol + domain").

2. in non-origin scenarios cookies of embedded pages need to set the Samesite="None" parameter. Currently this parameter is not set by the security-check-cookie yet.

We are just testing scenarios with setting this parameter - with good results...

There is one issue why we do not release as hot fix yet: the SameSite parameter is "bundled" with setting the "secure"-parameter to "true". Which means according to the spec that Cookies are only transferred in https scenarios - and we do not want our security cookie to break http-scenarios.

So the result of all is:

1. we only will switch the Cookie-based scenario on for "https://" sceanrio.
2. we will set the Cookie-parameters correspondingly (SameSite:None;sscure:true) so that corresponding pages are by default embed-able into IFRAMEs also cross-origin

Issue 1. is no restriction at all: it does not make sense to send a Cookie with sensible information over un-encrypted network...

Changes will be part of next update.

Kind regards, Björn
Björn Müller, CaptainCasa GmbH
 
Forum Index -> Development
Go to:   
Powered by JForum 2.1.6 © JForum Team