If you are running APEX applications within an iframe then changes are coming. Read on to find out how these changes may impact you and what you can do to mitigate their impact on your applications.
Background
One of our main uses cases for running APEX inside an iframe is when we embed APEX application with Oracle’s ERP Cloud. As shown below, this gives users a near seamless experience when moving between standard ERP Cloud pages and our custom APEX pages. Further examples can be found here.
As we all know APEX relies on a session cookie to keep track of your current APEX session. Without the ability to maintain a session cookie, you are forced to make your application public (99% of the time, this is not a good idea).
In May of 2019, Google warned changes were coming to the way Chrome handles cookies. In February of 2020, Google announced these changes are being rolled out into version 80 of Chrome. (Read here for the details: https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html).
In May of 2019, Google warned changes were coming to the way Chrome handles cookies. In February of 2020, Google announced these changes are being rolled out into version 80 of Chrome. (Read here for the details: https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html).
What will Happen
Any APEX applications that rely on cookies that are running in an iframe, which do not have the same URL as the container site, will stop working. You will see a message like the following in the Chrome Console.
Workaround
We reached out to the APEX development team (via Joel Kallman) and asked what we could do. That same day (what else would you expect), Christian responded with a workaround. The workaround involves a small change to any Authentication Schemes your application uses. These instructions should work for APEX 18.1 or above.
Navigation: Application > Shared Components > Authentication Schemes > Create / Edit
Navigation: Application > Shared Components > Authentication Schemes > Create / Edit
- Change Type to ‘Custom’
- If you have ORDS setup to have /apex in the URL
- Set Cookie Path to ‘/apex; SameSite=none’
- If you have the default path for ORDS /ords
- /ords; SameSite=none
- /ords; SameSite=none
- Finally, set ‘Secure’ on
When you look at an APEX application session cookie using Chrome Tools, you should see something like the following:
Please note, per Christian, some older versions of browsers do not support samesite=none.
https://www.chromium.org/updates/same-site/incompatible-client
https://www.chromium.org/updates/same-site/incompatible-client
Long Term
According to the development team there are plans to introduce the samesite=none attribute into the session cookie in APEX out of the box. Of course, they would not commit to which APEX version this change will be released in, but we are hopeful it will be soon.
Conclusion
Browsers are changing constantly and as full stack developers, we need to pay attention to what is going on in the browser world as well as the database world. Make a habit of opening Chrome/Firefox/Safari/... developer tools when you are testing your APEX Apps and pay attention to the warning messages.
Authors
Jon Dixon and Matt Paine. Co-Founders of JMJ Cloud.
RSS Feed