Set CORS policies, http security headers to avoid error: Some cookies are misusing the recommended Same-Site attribute. (27)
#10249
Labels
Area: Environment
Issues & PRs related to the application environment
Priority:Important
Issues & PRs that are important; broken functions, errors - there are workarounds
Type: Bug
Bugs within the core SuiteCRM codebase
Issue
Expected Behavior
There should be no
CORS
errors in the browser console.Bonus, when the app is running in
https
mode, all cookies should be set tosecure
mode.And
http security headers
should be added:x-strict-transport-security
x-frame-options
x-xss-protection
content-security-policy
referrer-policy
could beno-referrer-when-downgrade
Actual Behavior
Some cookies are misusing the recommended Same-Site attribute (27).
Possible Fix
CORS changes the game rules: stackoverflow.com/questions/46288437/… With it you have server side:
Access-Control-Allow-Credentials
,Access-Control-Allow-Origin
,Access-Control-Allow-Headers
+ cookie settingSecure
,SameSite=None
and client side:XMLHttpRequest.withCredentials
+ ES6fetch()
credentials:'include'
Steps to Reproduce
Ctrl Shift I
), you will see the error listed there.Context
Modern browsers are getting more and more strict with regard to cookies and
CORS
rules.If this issue is not fixed soon, the app will start to malfunction, because the browser will discard these non-compliant cookies without explicitly set
CORS
policies.Your Environment
The text was updated successfully, but these errors were encountered: