iFrame restrictions

SameSite updates for cookie files

SameSite is a security feature designed to stop third-party domains from creating cookie files until the user has navigated to their website. This feature helps prevent third parties from using browser cookies to keep track of users online and the websites that they visit. In February 2020, the SameSite security feature created by Google for Chrome 80 and later will undergo several changes. The SameSite attribute for cookie files will have to be set to one of the following three values:

  • Strict prevents all cookie files from being sent.
  • Lax prevents some types of cookie files from being sent between websites (images and iFrame). This value is specified by default.  
  • None does not place any restrictions on cookie files.

This means that starting from Chrome 80, you will not be able to use the product in iFrame over the unsecured HTTP protocol. Attempting to do so will result in the following error: "Due to browser policy restrictions, this URL cannot be opened using the insecure HTTP protocol. Please use the secure HTTPS protocol or change your browser policy". The error message will also include the following link to the Chrome website: https://www.chromium.org/updates/same-site. This error can affect Google Chrome and Microsoft Edge. As a workaround, enable the SameSite by default сookies option in your browser settings.

Enabling SameSite by default in Google Chrome

To enable the feature, do the following:

  1. Navigate to chrome://flags/
  2. Enable the SameSite by default сookies mode.
  3. Restart your browser in order for the changes to take effect.
  4. Open your website and verify that the development tool console works as intended in your browser.

Enabling SameSite by default in Microsoft Edge

To enable the feature, do the following:

  1. Navigate to edge://flags/
  2. Enable the SameSite by default сookies mode.
  3. Restart your browser in order for the changes to take effect.
  4. Open your website and verify that the development tool console works as intended in your browser.

Updates for other browsers

Other browsers such as Firefox will implement the following changes for dealing with cookie files:

  • Cookie files without the SameSite attribute will be treated as "SameSite= Lax". If third-party access is required, update your cookies to have the SameSite attribute.
  • Cookie files that require third-party access should have the following attribute: "SameSite=None; Secure".

3/2/2021 8:10:41 AM


Please leave your feedback about this article