Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why are iframe requests not sending cookies?

Tags:

security

google-chrome

cross-domain

iframe

content-security-policy

A sibling department has created an HTML file that is effectively a scaffold for a handful of iframes. The iframes each call a report, which is hosted on a web server, with slightly different parameters. The called report will show a sign-on form to unauthenticated users, or the report contents to already-authenticated users.

scaffold.html:

<html>
   <head>
      <title>I just show the output from a bunch of report calls</title>
   </head>
   <body>
      <iframe src="https://somesite.com/useful_report.html?parameter1=a&parameter2=1" id="iframe1"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=b&parameter2=2" id="iframe2"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=c&parameter2=3" id="iframe3"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=d&parameter2=4" id="iframe4"></iframe>
   </body>
</html>

The sibling organization explained to us that if a user was signed on to https://somesite.com, the above setup worked great--each of the iframes would display the useful_report.html content...until a few days ago.

When I

  1. sign on to https://somesite.com, then
  2. load file:///C:/Users/me/Desktop/scaffold.html into Chrome

each of the iframes returns the https://somesite.com sign on form. If I then open useful_report.html in a separate tab, the report content loads (proving somesite.com knows I am still signed on‡).

Using developer tools, I can see that the request headers to useful_report.html do not include the "Cookie:" attribute, so this explains why useful_report.html returns the sign on form.

My question is why are the iframe requests not sending cookies? What Chrome and/or server setting/policy/directive prevents it?

‡ - and now it knows that I know that it knows.

like image 625
Jeromy French Avatar asked Dec 18 '18 22:12

Jeromy French

People also ask

Do iframes send cookies?

Since your content is being loaded into an iframe from a remote domain, it is classed as a third-party cookie. The vast majority of third-party cookies are provided by advertisers (these are usually marked as tracking cookies by anti-malware software) and many people consider them to be an invasion of privacy.

How do I allow cookies in iframe?

It works in all browsers except for Chrome. Set secure:false or secure:true for the cookie. Set sandbox="allow-same-origin allow-scripts" for the iframe, or remove the sandbox attribute.

1 Answers

That's because of the SameSite cookie policy that Chrome defaults to Lax, meaning the cookies won't be sent unless the user can see the URL which excludes iframes.

If you own the somesite.com you can opt-out of this policy by setting SameSite policy to None and deal with the risk of CSRF attacks by Double Submit Cookie.

like image 142
Arash.m.h Avatar answered Oct 18 '22 23:10

Arash.m.h
Sign in to Comment

Related questions

ImportError: Cannot load backend 'TkAgg' which requires the 'tk' interactive framework, as 'headless' is currently running
How to setup Axios interceptors with React Context properly?
How to have an active binding know if it's called as a function?
What happens when mandatory RVO is applied to a reference that's extending the lifetime of a temporary?
Ping Tasks will not complete
How to stress-test video streaming server?
BindingRedirect to different assembly name
Android Download Progress
Horizontal scrolling with the scrollwheel in Eclipse
How can I prevent text displacement for some foreign language fonts?
How to create or manipulate GPU assembler?
java simple neural network setup

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!