3

different samesite lax behavior on chrome versus firefox for the following:

  1. an html document on my site includes an iframe with another document on my site
  2. then, a third party document is loaded in the iframe (with a return_url passed as a param)
  3. then, the third party redirects to the first party (my site) return url inside the iframe

on chrome, the lax cookies are sent but on firefox the lax cookies are not sent.

it is not clear to me what the expected behavior is. is there a standards document that explains what the correct behavior is in this particular situation (a third party redirect back to first party inside an iframe)?

herestomwiththeweather
  • 81
  • 4
  • It stopped working on chrome in version 90 (lax cookies are not sent after redirect in iframe). – qbik Apr 28 '21 at 08:52
  • [This recent Chrome change](https://chromium-review.googlesource.com/c/chromium/src/+/2605504) may clear things up -- it links to a [spec update](https://github.com/httpwg/http-extensions/pull/1348) that is supposed to make redirect behavior consistent between FF and Chrome – Coderer May 31 '21 at 15:42

0 Answers0