"SameSite=none" does not work with iframe

Question

After upgrade to Chrome Version 80.0.3987.132 cookies are not sent to the iframe request. On the Network tab (Chrome Dev tools), I do not see cookies for my requests.

After turning on the option "show filtered out requests cookies" I sees my cookies marked "This cookies was not sent due to user preferences."

The header for the cookie set:

set-cookie: token=jf23HaUI91Bd8L1chHq; expires=Wed, 18-Mar-2020 16:01:59 GMT; Max-Age=1799; path=/; SameSite=None; secure; domain=.example-domain.com; HttpOnly

When I open an iframe on the same domain everything works fine, but if it is a third-party domain via http or https, cookies will not work.

Has anyone come across this or know how to fix it?

Is this over https? Over http I don't think this will work. You have the secure flag in your header, requiring a secure connection — spencer, Apr 15 '21 at 17:45
have the similar problem with: https + samesite=none;secure + iframe. cookies are not passed. did u find the solution @mikolay-bet — UserBSS1, Apr 27 '21 at 06:49

score 0 · Answer 1 · answered Apr 19 '21 at 22:32

I think you should ensure that SameSite flag is always set to None for those cookies. If it's initially set to Lax, and then you try to make it None, it may not work.

Also, you should ensure that Secure flag is always set to true for SameSite=None cookies.

Max Barrass · Answer 2 · 2023-05-29T03:19:23.953

If you are using iframe with https, sanbox your iframe to get cookies working:

referrerpolicy="strict-origin-when-cross-origin"
sandbox="allow-forms allow-modals allow-popups allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation"
allow="encrypted-media; fullscreen; oversized-images; picture-in-picture; sync-xhr; geolocation;"
allowpaymentrequest="true"
allowpopups
allowfullscreen

Not sure what else you will need.

And you also you or not need your service in the iframe to set cookies with extra params

Path=/; HttpOnly; Secure; SameSite=none

score -2 · Answer 3 · answered Aug 16 '20 at 13:22

-2

It works for me, setting cookie via PHP; This is a HACK for php < 7.3 (!)

session_set_cookie_params(3600*24, '/;SameSite=None', $_SERVER['HTTP_HOST'], true);

(secure = true is important)

answered Aug 16 '20 at 13:22

bodomalo

153
1
1
11

score -2 · Answer 4 · edited Oct 02 '20 at 22:11

-2

In case of hosting in IIS you can add below configurations in web.config to avoid adding SameSite=Lex by browser

<sessionState mode="InProc" **cookieless="UseCookies" cookieSameSite="None"** timeout="20"/>

edited Oct 02 '20 at 22:11

andrews

2,173
2
16
29

answered Sep 24 '20 at 12:58

Roshan

1
1

score -6 · Accepted Answer · edited Dec 28 '20 at 09:21

-6

Deselect Block third-party cookies on chrome://settings/content/cookies

edited Dec 28 '20 at 09:21

ruohola

21,987
6
62
97

answered Mar 18 '20 at 16:55

Mikolay Bet

173
1
1
6

11

This is not a solution, you can't have all your users disable third-party cookie blocking ! – Florent Thiery Jan 21 '21 at 16:24

"SameSite=none" does not work with iframe

5 Answers5