Welcome Guest Search | Active Topics | Sign In | Register

Unable to Disable Chrome SameSite Cookie Behavior changes Options
absoffthewake
Posted: Thursday, May 20, 2021 12:22:24 PM
Rank: Member
Groups: Member

Joined: 2/12/2020
Posts: 14
We use EO.WebBrowser to access a website that is currently impacted by a recent change to Chrome/Chromium default SameSite cookie behavior settings. In order to workaround the issue, we need to change the Chrome flag #cookies-without-same-site-must-be-secure to disabled. We cannot figure out a way to do this with EO.WebBrowser. We have tried:

EO.WebEngine.Engine.Default.Options.ExtraCommandLineArgs = "--disable-features=cookieswithoutsamesitemustbesecure";
_oWebControl.WebView.Engine.Options.ExtraCommandLineArgs = "--disable-features=cookieswithoutsamesitemustbesecure"; (instance)

along with several other syntax variants including:

"--disable-features=CookiesWithoutSameSiteMustBeSecure"
"--disable-features=cookies-without-same-site-must-be-secure"
"--disable-cookies-without-same-site-must-be-secure"

According to the chromium website, https://samesite-sandbox.glitch.me/ can be used to test this setting. The default setting of enabled causes this site to display all green checkmarks. When set to disabled, the site should show a few red X's with invalid on the center row.

Is there a way to configure EO.WebBrowser to disable this flag?
rainstuff
Posted: Friday, May 21, 2021 10:28:08 AM
Rank: Advanced Member
Groups: Member

Joined: 9/20/2016
Posts: 72
absoffthewake, you need to use this option only once. If you want to disable several features - use delimiter.
For example:
Runtime.DefaultEngineOptions.ExtraCommandLineArgs = "--disable-features=SameSiteByDefaultCookies, PreloadMediaEngagementData,AutoplayIgnoreWebAudio,MediaEngagementBypassAutoplayPolicies ";

or

Runtime.DefaultEngineOptions.ExtraCommandLineArgs = "--disable-features=SameSiteByDefaultCookies";

All works:)
eo_support
Posted: Friday, May 21, 2021 1:22:55 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,067
To rainstuff, thanks for helping!
absoffthewake
Posted: Friday, May 21, 2021 3:52:16 PM
Rank: Member
Groups: Member

Joined: 2/12/2020
Posts: 14
@rainstuff Thank you for your help. Unfortunately it did not work for me. The SameSiteByDefaultCookies flag is distinct from the one we need and it does not fix the issue we are having with the problematic website. I also tried this command (setting it only once) to no avail:

Runtime.DefaultEngineOptions.ExtraCommandLineArgs = "--disable-features=CookiesWithoutSameSiteMustBeSecure";

I'm setting this right after initialization, immediately following the AddLicense call. I tried it in other places and it didn't seem to make a difference. Any other ideas?

The expected outcome is this website https://samesite-sandbox.glitch.me/ displays red X's in the center row. Is that the outcome you had?
eo_support
Posted: Saturday, May 22, 2021 2:17:37 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,067
Hi,

We tested this and rainstuff's respond seems to be correct. SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure are two different but related options. CookiesWithoutSameSiteMustBeSecure is only enabled when SameSiteByDefaultCookies. As such just disabling SameSiteByDefaultCookies would disable both.

We added the following code to App.xaml.cs

Code: C#
EO.WebEngine.EngineOptions.Default.ExtraCommandLineArgs = "--disable-features=SameSiteByDefaultCookies";


Before this line:

Code: C#
MainWindow mainWnd = new MainWindow();


The result is all the first four cookies (ck00, ck01, ck02, ck03) are set both for the site itself and cross site. This is exactly the legacy behavior before SameSite attribute is introduced.

The last two cookies (ck04 and ck05) are not affected because their SameSite value is explicitly set to Lax/Strict.

Thanks!

absoffthewake
Posted: Monday, May 24, 2021 11:20:34 AM
Rank: Member
Groups: Member

Joined: 2/12/2020
Posts: 14
This is the expected outcome on the test site when you disable the Chrome Flag CookiesWithoutSameSiteMustBeSecure:




When you click the i icon, you should receive the error description: SameSite=None without Secure should be rejected. I am unable to reproduce this behavior in EO.WebBrowser. It is "IBC Compliant" when the samesite=none is rejected. No matter how I set EO, it rejects and therefore is IBC Compliant. In other words, I get all green checkboxes no matter how I configure it. The goal is to allow nonsecure samesite cookies, which should result in a test failure on the test site unless I am missing something. Please advise.
absoffthewake
Posted: Monday, May 24, 2021 11:39:27 AM
Rank: Member
Groups: Member

Joined: 2/12/2020
Posts: 14
Turns out it was a bug in our code. I overlooked a line of code another dev added while troubleshooting that cleared the ExtraCommandLineArgs parameter in the newly created WebControl object.

This syntax worked:
EO.WebEngine.EngineOptions.Default.ExtraCommandLineArgs = "--disable-features=CookiesWithoutSameSiteMustBeSecure";

Thank you!

absoffthewake
Posted: Monday, May 24, 2021 11:56:44 AM
Rank: Member
Groups: Member

Joined: 2/12/2020
Posts: 14
Also had to add it to the App startup as mentioned as it would not apply the setting until the 2nd iteration.
eo_support
Posted: Monday, May 24, 2021 1:10:02 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,067
Great. Glad to hear that it worked for you!


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.