There is a SameSite attribute that seems to be causing some trouble when working with mashups. The error seen in Chrome is:
"A cookie associated with a cross-site resource at ....[URL]... was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
Even though this comes from the Chrome console, other browsers as Mozilla and Edge are also displaying similar warnings. Is there a way around this error?
Also see Community post Cross-Site requests with cookies without the SameSite attribute are being blocked by Google ChromeNOTE
: This issue does not impact NPrinting and no NPrinting patches are requiredEnvironment:
- Qlik Sense Enterprise, November 2019
- QlikView Server, April 2019
- Google Chrome 80
This is a new CORS security standard/feature that browsers are now enforcing, or beginning to enforce as developers begin to opt in. More information is available here https://www.chromestatus.com/feature/5088147346030592
and here https://www.chromestatus.com/feature/5633521622188032
as the above error mentions.Product Defect ID(s):
The issue has been fixed by setting the attribute SameSite=None.
It is also now possible to change the SameSiteAttribute
values if needed as described below on the Qlik Sense released Patches listed further down below:
Default behavior for https is to set SameSite=None
. Default behavior for http is not to set SameSite attribute, neither the Secure attribute, just like it was before this change. Other behaviors can be configured. This change is available in all patches listed below. By default above applies. If you wish to configure other values, do the following:
1. Open the Proxy.exe.config
file, which by default is located in "C:\Program Files\Qlik\Sense\Proxy".
2. Add following strings in the section <appSettings>
with the desired values, in example:<add key="SessionCookieSettings.Https.HasSecureAttribute" value="true"/>
<add key="SessionCookieSettings.Https.SameSiteAttribute" value="None"/> <!-- Valid values are NoAttribute, None, Lax and Strict -->
<add key="SessionCookieSettings.Http.HasSecureAttribute" value="false"/>
<add key="SessionCookieSettings.Http.SameSiteAttribute" value="None"/> <!-- Valid values are NoAttribute, None, Lax and Strict -->
3. Restart Qlik Sense Proxy Service.
4. Repeat above actions on each node of the cluster running the Qlik Sense Proxy Service.
The target by R&D at this time is to starting on Qlik Sense April 2020 release allow the SameSite attribute to be configurable from the GUI.Available in the following and later patches for Qlik Sense:
Qlik Sense February 2020
Qlik Sense November 2018 Patch 8 Update 1
Qlik Sense February 2019 Patch 7
Qlik Sense April 2019 Patch 7
Qlik Sense June 2019 Patch 10
Qlik Sense September 2019 Patch 6
Qlik Sense November 2019 Patch 5Workaround(s):
- If you are using Chrome versions 79 and below, the default setting for SameSite is "default", which is equivalent to "disabled". You can check it here chrome://flags/#same-site-by-default-cookies. In Chrome versions 80 and newer, "default" will be equivalent to "enabled", which enforces this security setting and will require an update to Qlik Sense to prevent requests from being blocked. The update is provided on the versions documented here under the "Fixed Version" sections. Otherwise as a workaround the SameSite setting can be set to "disabled".
- Edit the domain policy for where a list of specific domains are allowed for the legacy SameSite behavior to be used. See Cookie Legacy SameSite Policies.
The fix does have some limitations, bugs in older browsers can cause the following:
- Qlik will have official patches available on the patch Wednesdays delivery – Feb 12th 2020.
- Licensee patches will be available on demand as of Feb 3rd 2020, please contact email@example.com.
|Chrome 51-66 |
Android releases before 12.13.2
|SameSite=None cookies are rejected||External mashups will not work|
|Safari on MacOS 10.14|
All browsers on iOS 12
|SameSite=None is treated as SameSite=Strict|