Invalid CSP response cookie. SameSite cannot be set to None without Secure. : CSP Error

Question

Question

Martin Nielsen · Aug 21, 2024

We have a CSP pages script, which gets and sets a cookie for email tracking purposes, we had problems with cookies not being passed to this script when the URL was opened from an email client due to being cross-site, so I set Session Cookie Scope & User Cookie Scope to None instead of Strict.

This solved the issue with cookies not being passed, however the script entirely does not work anymore due to the error:

"Invalid CSP response cookie. SameSite cannot be set to None without Secure. : CSP Error"

Which doesn't make sense to me since the connection is indeed secure, I also have error logs from Application Logs if this could be helpful.

I've looked and read everywhere, and the interesting part is that our script works on Caché 2017, but since we're migrating we've stumbled upon this issue when we deployed Ensemble 2018, I also noticed that the Cookie Scope options on a web application is new, and is not present in Caché 2017, so I'm stumbed.

Product version: Ensemble 2018.1

$ZV: Cache for UNIX (Red Hat Enterprise Linux for x86-64) 2018.1.9 (Build 805U) Thu Feb 1 2024 08:47:11 EST

Discussion (3)1

Log in or sign up to continue

Martin Nielsen · Aug 28, 2024

The issue was that a secure flag must be set in the parameters of SetCookie method. I couldn't find any documentation on this when upgrading from Caché 2017 to Ensemble 2018.

1 0

score 1 · Answer 1 · 2024-08-22T02:40:31-04:00

Hi,

Try setting the Cookie security to LAX. This essentially has nothing to with the IRIS/Cache version but with the CORS standard implemented in modern browsers.

Cookies with SameSite attribute set to None are only allowed if they are secure. refer to https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

score 0 · Answer 2 · 2024-08-22T04:53:35-04:00

Thank you for your reply, I have already tried every option, None, Lax and even Strict again.

The error doesn't happen in the browser, in fact I don't see the error until I dig into the application error log or global.

I'll keep tinkering around, I assume there must be a setting somewhere not set, everything else is functional - I'll update this thread if I find something.