Prismic toolbar can't access previewSession cookie ("lax") on latest chrome release

[tcharlat]

Related issue prismicio/prismic-client#128

I had a setup properly configured and working 3 weeks ago:

The endpoint was correctly set, the prismic toolbar was loaded via https://static.cdn.prismic.io/prismic.min.js

Then, around 3 to 2 weeks ago, the preview feature stopped functioning.

• there is no toolbar anymore
• the preview cookie is not sent to the server side renderer anymore

Both of these features were working correctly until recently.

When inspecting the page, I have a valid preview cookie

• domain: the correct endpoint of the backoffice
• name: io.prismic.previewSession

But the sdk is seemingly not detecting it's on a preview page and is not triggering the splash screen and toolbar as it was 3 weeks ago.

I can't test to roll back to a previous version of my site, even by checkout on a guaranteed functional commit, since the prismic sdk https://static.cdn.prismic.io/prismic.min.js is some kind of a "latest" version only.

I tried to find some documentation on a semver for the cdn, something like https://static.cdn.prismic.io/prismic.min.js?version=2.1 , but did not find any information indicating something like this is in place.

Can you help me investigate this regression ?

[tcharlat]

I dove in the chrome debugger, the issue is that the iframe can't get the document cookies:

It's hard to say if it's a bug or a false negative that stayed silent too long, some people debate this here:

https://support.google.com/chrome/thread/33543699?hl=en

Once I saw this I checked with Edge and the preview works as intended, reads the io.prismic.previewSession cookie.

I think there may be some settings to update when setting the cookie to allow it to be extracted from iframe, here some more insight.

https://blog.heroku.com/chrome-changes-samesite-cookie

It's highly probable that all browsers may embark on this security train and that the preview will gradually stop working on more and more environment until fixed.

I would advise to consider this very seriously :)

Good luck

[srenault]

Hello,

It's kind of weird since we have updated the backend to set the SameSite attribute to "None".
I just tested and it seems to work well on my side:
.

Could you paste here a screenshot of your cookie panel? If you prefer, we can communicate through our support chat (Intercom).

[tcharlat]

@srenault perfect !
I guess my client has a custom enterprise instance of prismic on premise and is lagging behind on updates.

Could you give me some kind of version identifier where the SameSite attribute has been updated, so that I can open an internal request to update it on our side ?

Thanks for the support, safe to close.

[srenault]

The thing is we don't sell custom enterprise instance. Could you give me the repository name of your client so I can check on which version your client is on?

[tcharlat]

I emailed you on your public github email.

[vbejgrowicz]

Hi,

My team is also experiencing this same issue when trying to preview on the latest chrome release. It looks like the io.prismic.previewSession cookie is being set without SameSite: "None" which is causing the iframe to be unable to get the cookies. Also it looks like it is mistakenly setting a cookie with the key=SameSite and value=None.

See screenshot of my cookie panel:

Let me know if you need anything else!
Thank you!

[w3rafu]

I am having 99+ console error because Cookie “io.prismic.previewSession” has been rejected for invalid domain.