URGENT! Envato iframe now broken my plugin and others!

The Envato iframe is setting wrong cross policies that block scripts from loads and they broke my plugins!

LocalStorage and cookies are not working! The error is caused by Envato server:

Error with Feature-Policy header: Unrecognized feature: ‘speaker’.

Try it here: https://codecanyon.net/item/support-board-chat-and-help-desk/20752085

Errors in console:

Update: the errors happens only on Chrome and chromium-based browsers.

Solved: cookies are blocked when into an iframe from another domain. I used localStorage as work around.

1 Like

Hello Schiocco :slight_smile:
Hope you guys are doing good during these strange times.

Did you try setting samesite cookies to none ?

Method 1 : Using PHP

$currentCookieParams = session_get_cookie_params();
$cookie_domain= 'your domain';
if (PHP_VERSION_ID >= 70300) {
session_set_cookie_params([
    'lifetime' =>  $currentCookieParams["lifetime"],
    'path' => '/',
    'domain' => $cookie_domain,
    'secure' => "1",
    'httponly' => "1",
    'samesite' => 'None',
]);
} else {
session_set_cookie_params(
    $currentCookieParams["lifetime"],
    '/; samesite=None',
    $cookie_domain,
    "1",
    "1"
);
}
session_start();

Method 2 : Using .htaccess file
Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure"

Method 3 : Ngnix Configuration

location / {
        # your usual config ...
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=none";
    }
1 Like

Thank you! Detailed answer, it will be useful for other things too.
Anyway, the issue with the Envato iframe comes before PHP, also with JS, I can’t get cookies to work…

I used this code and it is not working when inside and Envato iframe:

document.cookie = name + "=" + value + ";expires=Thu, 01 Jan 1970 00:00:01 GMT" + ";path=/;SameSite=None";

:slight_smile:
Could you please try to add “secure” & check ? You have to set SameSite to None, and secure to True.
document.cookie = name + "=" + value + ";expires=Thu, 01 Jan 1970 00:00:01 GMT" + ";path=/;SameSite=None;Secure";

1 Like

Just tried but it looks like the same: https://schiocco.com/shared/2020-10-27_122022.jpg https://schiocco.com/shared/2020-10-27_122144.jpg
Cookies are not set.

Hello :slight_smile:

It seems to be working fine for us.

Could you please try this ?

document.cookie = "cookietest=schiocco; expires=Thu, 18 Dec 2020 12:00:00 UTC;path=/;SameSite=None;Secure";

Also could you please try adding the following in your .htaccess file?
Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure"

1 Like

Thanks for your feedback. Unfortunately, the same error occurs with bot .htaccess update and cookie SameSite=None; Secure.

Mind that the cookies appear in the browser developers tools, they are saved in the source domain, but if you try to read them via JS, they will not work.

Hi @Schiocco,

Looks like you’ve worked around the problem by using localStorage.

The “speaker” issue is a red herring here – Chrome displays it as an error, but it’s unrelated to your site or Javascript in general (it’s a part of Feature Policy, but support for that varies across browsers).

As you’ve seen, your application is sending cookies without a SameSite attribute, which Chrome now treats as if you’d set them as Lax – meaning they’re only sent when the domain of the page matches the domain of the cookie. In the context of a cross-site iframe, these don’t match, and the cookie is not sent. Setting the attribute to None will solve part of the problem, but you also must set the Secure boolean attribute on the cookie as well (Chrome 80+ requires this).

Please note that this isn’t behavior that Envato has control over; rather it’s the browser manufacturers slowly clamping down on iframes and cross-site interactions, to improve browser security.

Once your cookies set both SameSite=None and Secure, they should start working in the preview iframe again.

Hi, thank you but as stated, the cookies in my application are setted with secure + samesite:none

But they don’t work.
Anyway, I solved with local storage :wink:

Thank you!

Hi again,

I’m happy to hear it’s working for you using local storage!

For the purposes of other folks having the same issue and coming across this thread, I wanted to close the loop.

It doesn’t appear that the cookies are being set properly. When I view them on your site directly:

You can see that both the Secure and SameSite columns are empty – Secure should contain a checkmark, and SameSite should contain the value None.

When viewing your page within the Market iframe, no cookies are loaded (since they’re missing both values). I built a small test webapp inside an iframe and can duplicate this behavior exactly.

So, for the time being (until browser vendors change something else), cookies can still work within iframes, so long as they have the Secure flag set and use SameSite=None.

There’s an ongoing thread about this issue. It’s unfortunate that you have to resort to allowing cross-site cookies or using local storage, but it’s something that’s only controlled by the browser vendors. We’re considering how we can make this scenario better and hope to have some changes soon.

Thank you! You was right. I updated my code and now secure and samesite are set and also cookies work. Thank you!