I have two different installations of TYPO3 10.4.27 and try to remove all cookies.
I wonder why on one site having a contact-form, the fe_typo_user cookie is set and on the other site with the exact same form.yaml definition, it isn't set a cookie.
Additionally, I have a page, where a be_typo_user is set, without me doing this intentionally. - Edit: I found this one in my own code. Instantiated "BackendUserAuthentication"
It seems to be "normal" to have the fe_typo3_user cookie set on pages with forms. When I delete it once and reload the page it depends on the Typoscript setting config.no_cache whether the cookies are set again or not. With config.no_cache = 0, the cookies won't be set again. With config.no_cache = 1 (which you shouldn't be set) the cookies come again and again while doing "delete cookies => reload page". So I recognized, that with a "fresh" browser visiting the site I previously saw no cookie, there is one, too.
I can reproduce this behavior on any typo3 v9/v10 site on a page with a form by deleting frontend cache and loading it with another browser afterwards.
Can I get rid of those cookies? Are they DSGVO relevant for sites without cookie banner?
On the one site with cookies I had config.no_cache = 1 (which you shouldn't be set), the other had the default value config.no_cache = 0.
I additionally tested it with two browsers.
Clear Frontend Cache
Hit the page with form in one browser getting cookie set
Hit the same page in another browser getting no cookie
Related
We're trying to load an external url in our custom tab. The login page for this domain appears successfully, however when we proceed and try to sign in it stays on the page and does not redirect user to home screen. Here are some observations:
When the same URL is loaded in teams "Website" tab then everything works as expected.
Teams "Website" tab loads the url as it is i.e. WITHOUT iFrame and the custom tab loads the url within an iFrame.
In console window on login inside iFrame I can see cookies related issue which is something like:
"Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests."
Any help or hint would be greatly appreciated.
I am having problem add to cart in Ionic framework iframe, the button just stuck at Adding... without adding the item to cart.
I noticed there are some errors/warnings in the Network tab. It says the SameSite cookie was set to LAX because it was not found. Refer to the image below.
So my question is how do I set the SameSite=None as the default cookie in Magento 2? Thanks in advance.
Firstly, try to refactor the domains you use. If everything comes from the same domain, it is not "cross-site response" and this flag is not needed. To know more about why cross-site things are forbidden, have a look at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Secondly, try to upgrade to the latest version (as said by #Tarun), which seems to solve the problem.
Since the current SameSite default for Chrome is None, third-party cookies can track users across sites. The update changes the default label to SameSite=Lax. It means that cookies are set only when the domain in the URL of the browser matches the domain of the cookie. In this situation, we deal with first-party cookies.
As for cookies with the SameSite=None label, they must have a secure flag. It’s a guarantee that they are created and sent only through requests made over HTTPS.
Unfortunately, some languages and libraries do not support the None value yet. As a result, developers should set the cookie header directly. Check this Github repository, to discover how to implement SameSite=None.
There's a Cookies subsection under the Resources tab in DevTools... right clicking on any of the cookies gives me a Clear option. But is this the same as deleting the cookie, or will it just clear the contents? The UI does not remove the cookie from view, it just shows empty content.
Sometimes I may check for the existence of a cookie instead of reading the data from it to verify, so this is a matter of consequence.
I think what you call a cookie is actually a site. If you click on a site, you get a list of actual cookies for this site on the right side of the window with their name, contents, size etc... Each line is a cookie. You can delete individual cookies there.
When you clear a site, it deletes all the cookies from this site in one click, but as you can't delete a site, it still shows on the left side of the window.
Delete/Clear all features remove cookies completely. You can test it quite easily yourself:
open the Console
type document.cookies
remove a cookie using Resources tab
type document.cookies again and compare the output with the previous one
You will find out that cookie you removed with Resources was removed completely.
Problem
I have an application driving a tab on a client's page. The application works correctly if the user has not enabled FB's "secure browsing" feature. If attempting to view over HTTPS, the iframe doesn't even appear (no errors, no mixed-content warnings). When correctly loading over HTTP, the div with the id "pagelet_app_runner" has an iframe inserted into it and the application content is loaded inside there. Over HTTPS, this div remains empty and the iframe is not inserted into the page. There are no Javascript errors appearing in Firebug or Chrome's equivalent console.
Why I'm Asking Here
The host has a valid SSL certificate and there is no 'mixed content' at the URL in question. I can successfully view the content over HTTP or HTTPS by visiting the URL directly, and I can do the same by visiting apps.facebook.com/canvasURL/tabURL. It is only when attempting to view within a Page Tab that the HTTPS load fails as described above. My application is configured with both regular and secure canvas and tab URLs.
Attempted Debugging
I've recorded some sessions with Charles but since the iframe isn't being inserted into the page, I think I'm coming at the problem after it's already occured. I'm no Charles expert so happy to be corrected here.
Apache isn't seeing any request (in either regular or ssl logs) for the affected loads. non-SSL loads come through as expected in access_log.
Plea for Help
I'm out of ideas for debugging this. Does anybody have any suggestions? What really obvious and stupid mistake might I have made? :)
edit: nicer formatting
Your app canvas URL is https://skinnycomp.nextstudio.com.au/skinnycowcomps/ , which send 404 error to Facebook proxy (request is going through proxy when viewing app via tab), also when viewing your app via apps (https://apps.facebook.com/122381834451561/), again 404... maybe Facebook proxy is ignoring 404 and posting blank...
Try changing canvas URL to https://skinnycomp.nextstudio.com.au/skinnycowcomps/tab, also you can check if your app is accessed via page tab, in signed_request there should be page_id...
23:51:15.379[549ms][total 1667ms] Status: 404[Not Found]
GET https://skinnycomp.nextstudio.com.au/skinnycowcomps/
This is a real longshot since I'm sure you've triple checked all the settings, but the blank page can happen if an invalid url is specified in the Page Tab URL field in the app settings. Since it only happens on https, it would imply something specifically with the Secure Page Tab URL entry. It might be worth checking that again, and maybe even re-saving it or changing it to something else to see if it helps.
I was using relative URLs for the regular and secure tab URL fields. From memory relative URLs here were mandatory at some point in the past. It appears now that a relative URL will still work for HTTP but not for HTTPs. Fix: absolute URLs. Hopefully FB update their field validation to match what's required too.
I know this topic has been covered extensively, but I am totally stuck and in need of some direction and new opinions. I have a Facebook iFrame application that works perfectly in IE6,8, Safari, Chrome, FF, etc. Only IE7 gives me grief.
I have created a P3P policy file, and its associated XML file. The policy fully validates with the P3P policy validator.
As soon as the iFrame loads from within Facebook, the red eye icon appears and when I click it, it reports that cookies from the iFrame's domain are blocked. I have confirmed that the default 'medium' privacy setting is set on IE7. Interestingly I've found that by removing Google Analytics, the page will load initially without blocking the cookies, but as soon as the page reloads, or the user logs in, cookies are then blocked again even though the P3P header is sent immediately from every page. All assets are sent via S3, so there shouldn't be any issues there.
FYI, here's my P3P file; I've tried absolute paths, relative paths, switching order of CP and policyref, and separated the two into separate header calls with no luck.
header('P3P: CP="NON DSP TAIa PSAa PSDa OUR IND UNI", policyref="/w3c/p3p.xml"');
I have confirmed that the P3P Header is being sent and received by the browser. I have added a META p3p tag to the HTML page. I have removed all redirects. Still the issue persists. I've spent so much time looking into this, and I am now out of ideas. Any thoughts or ideas about how to approach this from a fresh perspective would be greatly appreciated. I'm using PHP 5.3.5 over NGINX. No framework being used...
I had the same problem. Facebook iframe app worked great in all browsers except IE7. When you first went to the app it loaded fine. But then when you clicked a link it would load the page okay but then after a second or so would refresh and redirect the browser. In the end you just got a blank page. I also had the red eye icon blocking the cookies.
The culprit turned out to be the javascript code which loads the facebook javascript lib:
FB.init({
appId : '<?=FACEBOOK_APP_ID?>',
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : true // parse XFBML
});
To fix the problem I changed status : true, to status : false. Now when clicking links the page loads and doesn't refresh.
So whats really going on here I am not sure but I have a guess...The redirect was being caused by the FB javavascript checking the login status and for some reason thinking the user was logged out and so redirecting to a login page. The server side login script I guess would then see that you had indeed logged in and redirect you back to the app. So on and so on.
So the problem of IE7 not setting the cookies set inside the iframe still exists, the evil eye remains. But as long as the links inside your iframe reference the parent window target="_top" pointing at the facebook canvas page it seems you don't need the cookie anyway. The PHP SDK looks for the session in a number of places starting with $_REQUEST. I am guessing that when facebook loads the iframe it includes the session param in the query string. So even though the cookies don't work in IE7 through the iframe your server scripts will still get them from the query param.
Hope that makes some sort of sense, I don't totally get it but it fixed my app.
i don't know but maybe this will help, it worked like a charm on my app.
header('P3P: CP="CAO PSA OUR"');
ob_start();
session_start();