Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: EE-1.8.2.GA_P10, EE-3.3.0.GA_P07, EE-4.3.0.GA_P01
-
Fix Version/s: EE-1.8.2.GA_P11, EE-4.3.0.GA_P02, EE-3.3.0.GA_P08
-
Component/s: Bridge
-
Labels:None
-
Environment:All ICEpush envs.
-
Assignee Priority:P1
-
Support Case References:SF#14574
Description
Case Subject: set SameSite=None and secure for ice.push.browser cookie
Case Description: How to set SameSite=None and secure for "ice.push.browser" cookie from our application. Please help on this. Because our application will not support from chrome 80 onwards as browser will restrict the cross domain cookies without SameSite=None and secure.
Case Description: How to set SameSite=None and secure for "ice.push.browser" cookie from our application. Please help on this. Because our application will not support from chrome 80 onwards as browser will restrict the cross domain cookies without SameSite=None and secure.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
When ICEpush is initialised it will always connect back to the same site where the page (that initialised it) was loaded from. Because of that ice.push.browser will always be used as a first-party cookie.
Also, there aren't any ICEpush resources that can be referenced from a different site that can be accessed through a GET request, nor ICEpush care to have ice.push.browser cookie set as a third-party cookie to track its usage on other sites.
For that matter we could create ice.push.browser with SameSite=Strict and ICEpush should still work in any deployment. Since we do not specify SameSite cookie attribute it defaults to Lax. And finally, setting ice.push.browser with SameSite=None it's not possible because that would force it to also be Secure which will cripple deployments where a reverse proxy (as load balancer) is setup.