JMJ CLOUD
  • Home
  • Projects
  • Blog
  • About Us
  • Contact Us

Our Blog

Upcoming SameSite cookie changes and the impact for APEX Apps running in an iframe

4/12/2020

1 Comment

 
Picture
If you are running APEX applications within an iframe then changes are coming. Read on to find out how these changes may impact you and what you can do to mitigate their impact on your applications.

Background

One of our main uses cases for running APEX inside an iframe is when we embed APEX application with Oracle’s ERP Cloud.    As shown below, this gives users a near seamless experience when moving between standard ERP Cloud pages and our custom APEX pages. Further examples can be found here.
APEX and ERP Cloud
As we all know APEX relies on a session cookie to keep track of your current APEX session. Without the ability to maintain a session cookie, you are forced to make your application public (99% of the time, this is not a good idea).
 
In May of 2019, Google warned changes were coming to the way Chrome handles cookies. In February of 2020, Google announced these changes are being rolled out into version 80 of Chrome. (Read here for the details: https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html).

What will Happen

Any APEX applications that rely on cookies that are running in an iframe, which do not have the same URL as the container site, will stop working. You will see a message like the following in the Chrome Console.
Same Site Cookie Warning

Workaround

We reached out to the APEX development team (via Joel Kallman) and asked what we could do.  That same day (what else would you expect), Christian responded with a workaround. The workaround involves a small change to any Authentication Schemes your application uses. These instructions should work for APEX 18.1 or above.
 
Navigation: Application > Shared Components > Authentication Schemes > Create / Edit
  • Change Type to ‘Custom’
  • If you have ORDS setup to have /apex in the URL
    • Set Cookie Path to ‘/apex; SameSite=none’
  • If you have the default path for ORDS /ords
    • /ords; SameSite=none
  • Finally, set ‘Secure’ on
​
APEX Authorization Scheme Changes
​When you look at an APEX application session cookie using Chrome Tools, you should see something like the following:
Session Cookie in Chrome Tools
​

Please note, per Christian, some older versions of browsers do not support samesite=none.
https://www.chromium.org/updates/same-site/incompatible-client

Long Term

According to the development team there are plans to introduce the samesite=none attribute into the session cookie in APEX out of the box. Of course, they would not commit to which APEX version this change will be released in, but we are hopeful it will be soon.

Conclusion

Browsers are changing constantly and as full stack developers, we need to pay attention to what is going on in the browser world as well as the database world. Make a habit of opening Chrome/Firefox/Safari/... developer tools when you are testing your APEX Apps and pay attention to the warning messages.

Authors

Jon Dixon and Matt Paine. Co-Founders of JMJ Cloud.

1 Comment
Alberto Mora Porras
8/21/2020 01:24:51 pm

Thank you very much. This is the specific tutorial that I was looking for, you have saved my life! :)

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    RSS Feed

    Popular Posts

    - APEX Dog Food
    - Cloud ERP & APEX Mashup
    - Modernizing EBS with APEX
    - Easy APEX_WEB_SERVICE
    - Running APEX in RDS
    - ORDS What & Why?

    Categories

    All
    APEX
    AWS
    Fusion Cloud ERP
    INTEGRATION
    OCI
    ORDS
    PaaS
    RAD
    REST
    SOAP

    Archives

    January 2021
    October 2020
    September 2020
    June 2020
    May 2020
    April 2020
    February 2020
    January 2020
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    September 2017
    August 2017
    July 2017
    June 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016

Company

About
Contact
Blog
  • Home
  • Projects
  • Blog
  • About Us
  • Contact Us