New post
Question
· Aug 21

Invalid CSP response cookie. SameSite cannot be set to None without Secure. : CSP Error

#CSP #Security #Caché #Ensemble

We have a CSP pages script, which gets and sets a cookie for email tracking purposes, we had problems with cookies not being passed to this script when the URL was opened from an email client due to being cross-site, so I set Session Cookie Scope & User Cookie Scope to None instead of Strict.

This solved the issue with cookies not being passed, however the script entirely does not work anymore due to the error:

"Invalid CSP response cookie. SameSite cannot be set to None without Secure. : CSP Error"

Which doesn't make sense to me since the connection is indeed secure, I also have error logs from Application Logs if this could be helpful.

I've looked and read everywhere, and the interesting part is that our script works on Caché 2017, but since we're migrating we've stumbled upon this issue when we deployed Ensemble 2018, I also noticed that the Cookie Scope options on a web application is new, and is not present in Caché 2017, so I'm stumbed.

Product version: Ensemble 2018.1
$ZV: Cache for UNIX (Red Hat Enterprise Linux for x86-64) 2018.1.9 (Build 805U) Thu Feb 1 2024 08:47:11 EST
Discussion (2)2
Log in or sign up to continue
Martin Nielsen · Aug 22

Thank you for your reply, I have already tried every option, None, Lax and even Strict again.

The error doesn't happen in the browser, in fact I don't see the error until I dig into the application error log or global.

I'll keep tinkering around, I assume there must be a setting somewhere not set, everything else is functional - I'll update this thread if I find something.

0 0