[SalesForce] Cookie error with embedded VisualForce page in Chrome

I'm trying to embed some VisualForce pages in the layout for a Custom object.

This works fine in Firefox, but not in Chrome. Instead, for each embedded page (there are three) I get the message:

Your browser privacy settings have prevented this page from showing some Visualforce content. To display this content you need to change your browser privacy settings to allow "Third Party" cookies from the domain obfuscated-domain–c.visualforce.com. Alternatively, if your browser is Internet Explorer, you can add obfuscated-domain–c.visualforce.com to your trusted sites list in the security options page.

All cookie types are enabled in Chrome.
Existing cookies have been cleared and I've logged in again.
I've added the main site and the visualforce.com site to the list of 'Sites that can always use cookies' in Chrome

But the issue continues.

Anyone else had this issue? What's the solution?

Thanks!

Best Answer

AFAIK this behavior is a result of Chrome changing the default cross-domain (SameSite) behavior of cookies in Chrome version 84+. To accommodate this change it is necessary to use HTTPS instead of HTTP

Please refer to the following knowledge article for more information:

Google Chrome Browser Release 84 Changes SameSite Cookie Behavior and Can Break Salesforce Integrations

Solution:

In session settings enable the following:

Require secure connections (HTTPS)

Require secure connections (HTTPS) for all third-party domains

Related Solutions

[SalesForce] Salesforce Cookies behaving differently by introducing Model class using IE

I am pretty sure it works if you change the '.force.' to null in your Cookie creation. Just booted Windows, installed a gazillion updates, and then tested it in IE10.

That parameter is the path of the cookie, not the domain. Unfortunately the constructor of the Cookie class seems not to be documented, the best 'documentation' I found from Salesforce is in the example code of the documentation.

What's interesting is that Chrome and Firefox seem to ignore the path value '.force.' as it doesn't look like a proper path (maybe they only take it into account if it starts with a slash) while IE does not store the cookie as it doesn't match the path. Looking at RFC 6265 it seems that IE gets it wrong (Who would've thought ...):

If the uri-path is empty or if the first character of the uri-path is not a %x2F ("/") character, output %x2F ("/") and skip the remaining steps.

[SalesForce] sameSite attribute issue with iFrame page while using chrome browser

I let my application team know regarding this issue. I shared the console log error. They fixed it with adding cookies in the header in generic filter class that calls before to every request. That fixed for me. It goes like below.

class SameSiteFilter extends GenericFilterBean {
@Override
public void doFilter (ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletResponse resp = (HttpServletResponse) response;
    String cookie = resp.getHeader("Set-Cookie");
    if (cookie != null) {
        resp.setHeader("Set-Cookie", cookie + "; HttpOnly;SameSite=none; Secure");
    }
    chain.doFilter(request, response);
}}

This was done from application side. I didn't do anything from SF side. All other functionalities working fine.

Best Answer

Related Solutions

[SalesForce] Salesforce Cookies behaving differently by introducing Model class using IE

[SalesForce] sameSite attribute issue with iFrame page while using chrome browser

Related Topic