I am trying to make a CORS request with credentials(Cookies attached) and Chrome is not attaching the Cookie to my request. I have set the cookie to a sub-domain of the existing page and i could observe it is set successfully from the Cookie manager.
I do not have this problem with Chrome 78th version(latest version). But for the previous versions, I have this problem(I have checked 75 and 77). As well as i do not have any problem with other major browsers also. They also attach cookies without a problem.(I have tested my code with Firefox, IE, Opera and Edge)
This how I have set the Cookie from external service end.
res.setHeader('Set-Cookie','cdn-token=exp3header_same-site-none; domain=.local.com; path=/; SameSite=None;');
Complete sample code base can be found in following links:
External service - https://github.com/bhanukayapa/cors-backend.git
Front-end application - https://github.com/bhanukayapa/cors-angular-frontend.git
Can someone please explain the root cause for this problem? I checked Chrome release notes also. I could not find and bug fix or improvement related to this. Thanks in advance.
If setting SameSite=None this must be paired with Secure. e.g.
res.setHeader('Set-Cookie','cdn-token=exp3header_same-site-none; domain=.local.com; path=/; SameSite=None; Secure');
Related
When browsing to http://localhost:8080/ in chrome I get redirected to a bad request page, provided by the chrome browser. If I browse to the network url ie: http://192.168.1.1:8080/, then the chrome browser happily loads it.
The localhost url works fine in Firefox and in Edge.
Has anyone experienced this behaviour before and know how to fix it?
Check your chrome proxy settings and hosts file, also try the guest and private mode.
It might be a cookies problem
I'm developing a ionic app and I need to make some CORS requests for dev purpose.
I use chrome v49 with -disable-web-security. I also use an .htcacces to allow OPTIONS request.
But i still get an error 405.
Chrome header sum'up
Try adding the chrome Extension Allow-Control-Allow-Origin: * from chrome webstore , enable
cross-origin resource sharing
from its option, then reload the page
Thanks for your answer. We already tried that but it did not succeed either.
The problem was server side. We used symphony witch refuse everything with is rly strict policy. To solve this we used NelmioCorsBundle.
When I try to launch a custom protocol from https connection, Chrome version 30 is giving the following error.
[blocked] The page at https://something.com ran insecure content from custom-protocol://somethingelse.com/myapp
Chrome version 29 works fine.
Did anyone come across similar issue?
Is this a new issue/feature in chrome?
Appreciate any response.
Thanks in advance.
I did, and the problem was that I was using https to access the page, the link was in an iframe and most of all, the certificate used in the https was not trusted. After moving to https works fine.
And by the way, it was working in FireFox.
Hope it helps!
We developed new file action for our web-app, it works fine when using chrome or Firefox but on IE we have problems, when trying to understand the issues we noticed that when the message goes to our web-app it doesn't send any cookies including the session cookie although the web-app sends set-cookie header.
why is it happens?
OK, we found the problem, apparently when using iframes in IE cookies are blocked as IE refers to Iframes as third party app, to unblock cookies we should to add privacy policy to the headers using P3P header.
good place to read about is - Cookie blocked/not saved in IFRAME in Internet Explorer.
This sounds like a possible bug on our end. Can you email us at API AT box.com with specific information about the request that's being sent as well as which version of IE you're using?
This example to load a url in an iframe works. However when I change url to something like http://www.yahoo.com the iframe doesn't load antyhing
Here is an example side by side.
In Network tab of developer tools for Chrome, I see that request to Yahoo was cancelled. In FF it doesn't give any errors, just doesn't return any content. IE9 gives a message that It cannot display this content.
This happens in Chrome, FF and IE9 (I haven't tested previous versions of IE).
That is because Yahoo itself prevents this from happening.
It has been noted here: https://stackoverflow.com/a/9013722/476786
To see for yourself, try setting the source to http://www.google.com/ which won't work as well, but then try http://www.bbc.co.uk/ and that will work.
Possibly works as described here: https://stackoverflow.com/a/2896705/476786 using X-FRAME-OPTIONS
If the site hosting the webpage forces the use of a secure HTTPS connection, some browsers (chrome for sure) will require that all network resources use HTTPS as well.
Basically if your site forces HTTPS, try setting src="https://yahoo.com"
This won't solve OP's answer directly due to it being a limitation of Yahoo itself, but other people viewing this page might be experiencing this issue as a result of this (I was).