Chrome Samesite - cross domain iframe use-case
search cancel

Chrome Samesite - cross domain iframe use-case

book

Article ID: 195343

calendar_today

Updated On: 02-28-2024

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


When running 3 Web Agents and when a user accesses a page having iframe which gets the page from another Web Agent and different domain, then the SMSESSION cookie is not sent to that Web Agent and the page is sent back to the cookie provider.

The flow scenario is as follows:

  1. When user accesses the Application 1 URL on the Chrome 80 version, Application 1 URL works well;
  2. Now the Application 1 calls the Application 2 using iframe;
  3. The Application 2 has no cookie in browser, so it redirects the browser to Cookie Provider and then the browser enters a loop which ends with an error:

    wa.example.com redirected you too many times

  4. Trying to set "getcpcookie=yes" in the Cookie Provider instance, but still issue is reproduced.

Configuration :

  Cookie provider URL = http://wa.example.com/smmakecookie.ccc
  Cookie provider cookie domain = .example.com
  Cookie provider samesite value = none

  Application 1 URL = http://mywa.example.org/index.html
  Application 1 cookie domain = .example.org
  Application 1 cookie provider URL = http://wa.example.com/smmakecookie.ccc
  Application 1 samesite value = nothing set, so the browser takes it as LAX

  Application 2 URL = http://mywa.example.net/index.html 
  Application 2 cookie domain = .example.net
  Applicaiton 2 cookie provider URL = http://wa.example.com/smmakecookie.ccc
  Application 2 samesite value = nothing set, so the browser takes it as LAX

 

Environment

 

  3 Web Agents 12.52SP1CR10 with SameSite patches 64bit on Apache 2.4 64bit on RedHat 6;
  Policy server 12.8SP3 on RedHat6;

 

Resolution

 
The use case involves 2 of the use cases described from the documentation (1):

  • Cookie provider flow for any POST request to an application;
  • SSO between applications when a SMSESSION cookie exists and a POST request is initiated from cross-site;

As such, apply the samesite fix on the 3 Web Agents.

The following iframe code on the page will make the use case working with Internet Explorer and using HTML Form Authentication Scheme.

The target page served by app 1 mywa.example.org:

  <!DOCTYPE html>
  <html>
  <body>

  <h1>The iframe element</h1>

  This is test page

  <form action="action" method="post" target="output_frame">
      <!-- input elements here -->
  </form>
  <iframe name="output_frame" src="http://mywa.example.net/home/index.html" id="output_frame">
  </iframe>

  </body>
  </html>

The http://mywa.example.net/home/index.html resource has this code:

  <html>home</html>

Configure the first the Cookie Provider and both Web Agent that way:

wa.example.com (cookie provider) :

  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.

mywa.example.org (app 1)

  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomain=''.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomainscope='0'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookieprovider='http://wa.example.com/smmakecookie.ccc'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] enablecookieprovider='no'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] limitcookieprovider='no'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] tracksessiondomain='no'.

mywa.example.net (app 2 embedded iframe in mywa.example.org)

  [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomain=''.
  [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomainscope='0'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] cookieprovider='http://wa.example.com/smmakecookie.ccc'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] enablecookieprovider='no'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] limitcookieprovider='no'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] tracksessiondomain='no'.

With iexplore (Internet explorer) it works, as the browser needs to log in only once at mywa.example.org and get embedded mywa.example.net.

With chrome (Google Chrome) it doesn't work, as the browser needs to log in at mywa.example.org and the browser is asked again to login at mywa.example.net.

After trying to reach mywa.example.net, the browser gets redirected to the Cookie Provider.

The cookie for the Cookie provider isn't sent, so the Cookie Provider cannot create one for mywa.example.net.

Changing the configuration on the Cookie Provider to use the ACO parameter from the Samesite enhancement:

wa.example.com (cookie provider):

  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
  [6054/3339433728][Fri Jul 10 2020 11:09:59] getcpcookie='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
  [6054/3339433728][Fri Jul 10 2020 11:09:59] samesite='None'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.

Now, with chrome (Google Chrome) it doesn't work as the user needs to log in only once at mywa.example.org and then the resource from mywa.example.net doesn't show up.

In fiddler traces, after trying to reach mywa.example.net, the browser gets redirected the cookie for the Cookie provider.

But this time a cookie is sent to example.net domain, but the Agent from example.net goes back to the Cookie Provider in a loop because the Cookie Provider doesn't receive the expected cookie.

The browser shows then the following error:

  wa.example.com redirected you too many times.
  
Finally, keeping the Cookie Provider with the same configuration and adding the Samesite ACO for both the other Web Agents:

wa.example.com (cookie provider) :

  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
  [6054/3339433728][Fri Jul 10 2020 11:09:59] getcpcookie='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
  [6054/3339433728][Fri Jul 10 2020 11:09:59] samesite='None'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.

mywa.example.org (app 1)

  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomain=''.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomainscope='0'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookieprovider='http://wa.example.com/smmakecookie.ccc'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] enablecookieprovider='no'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] limitcookieprovider='no'.
  [5505/2828023552][Fri Jul 10 2020 11:09:59] samesite='None'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] tracksessiondomain='no'.

mywa.example.net (app 2 embedded iframe in mywa.example.org)

  [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomain=''.
  [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomainscope='0'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] cookieprovider='http://wa.example.com/smmakecookie.ccc'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] enablecookieprovider='no'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] limitcookieprovider='no'.
  [5512/991487744][Fri Jul 10 2020 11:09:59] samesite='None'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] tracksessiondomain='no'.
  
Then the use case works as expected. Log in only once at mywa.example.org, and the iframe embedded page at example.net gets its expected cookie and shows up in the example.org:

  http://mywa.example.org/home/index.html

  The iframe element
  This is test page

  +------+
  | home |
  |      |
  |      |
  +------+

 

Additional Information