View what's in this topicCookie restrictions for uStore integrations
Audience: XMPie customers who have integrations with uStore.
Note: Applicable for version 12.1 and higher.
Overview
Recently, cookie security in browsers has been hardened.
When a website page displays another website page within an iFrame, and the outer and inner sites have different domains, the site within the iFrame is considered third party context, and thus is not allowed to access cookies.
There is no issue if the outer and inner sites use the same domain.
This may have an impact on two types of uStore integrations:
-
uStore opens an iFrame to an external site, e.g. in the context of a clearing plugin or a recipient list plugin.
-
A website is running uStore Connect within an iFrame.
For further readying, see https://web.dev/samesite-cookie-recipes/
Solutions
-
If possible, use the same domain name for the outer and inner websites.
-
Another approach is not to use an iFrame, and instead redirect from the outer to the inner website and back.
-
If the above solutions are not applicable, set the outer website to trust the inner website. Use the following method:
In the Back Office, go to Presets > System Setup > Global Configuration, add a new key called SuppressCookieSameSiteRestriction and set it to True.
The following restrictions apply:
-
The outer and inner websites must be secured using HTTPS.
-
If two outer websites use the same domain, e.g. two uStore stores, you will not be able to browse the two stores in the same browser, unless they both use HTTPS.
-
If you still want to use a store without HTTPS, you can use a different domain or sub-domain.
-
Created by: Guy Schreiber, last updated: January, 2020