HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Embeded comments, Samesite cookie issue
icestormz
New
Hi so i embeded the universal comments on another site, i did everything correct and could not get the signed in user to show that the user was signed in and can comment, so i disabled the Same site settings in the chrome flags and it started working, problem is the cookies that identify the logged in user is there but the samesite column when insepecting the cookie is blank therefor browser now mark them as Samesite=LAX which will prevent an iframe from reading that cookie and allow vanilla from showing that the user is logged in
i need a way to either modify the core and add that cookie perameter so that it sets the Samesite = none
reference
Tagged:
0
Comments
You will have to add the domain where the forum is embedded to the trusted domains list in your dashboard (/settings/security).
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
i did do that, this allow the frame to load on an external site but dose not resolve the cookie issue which is blocked by chrome because the SameSite information in the cookies is not set
This feature will be in the next open source release:
In the meantime if you are on PHP 7.3 you can change line in library/core/functions.compatibility.php line 604:
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
Awesome thank you looking forward to this fix, i will modify the line you have suggested
Hi has this been fixed in 4.0 RC1 release? i am still not able to see the user logged in when viewing from a iframe
@icestormz Yes, this has been fixed, however the new cookie functionality requires a secure context for
SameSite=Nonecookies.This means you have to enable HTTPS and set
$Configuration['Garden']['ForceSSL'] = true;in your config.My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS